Last post Dec 14, 2014 07:43 AM by abhilashba
Dec 14, 2014 03:43 AM|abhilashba|LINK
I am developing an ASP.NET Web Pages application. I see that the default Web Page application created in Visual Studio includes the function call to AntiForgery.GetHtml(). I studied and understood the functionality if this call and the AntiForgery.Validate()
call as well. But now my question that should i include this function call in all of the Web Pages that i create? Even if i do add the AntiForgery.GetHtml() in my _Layout.cshtml file i have to add the second function to validate the page in all of my content
pages. Please let me know the right way to do this and the reason why need to do it a certain way.
Dec 14, 2014 05:14 AM|Afzaal.Ahmad.Zeeshan|LINK
No, you can even remove it from that page where Visual Studio added it. Or, yes, you should add it to the pages where you need to get the data from the forms.
The main function of this, is that it enables you to secure your forms so that only validated forms provide you with the data. Think of it like a malware-prevention tool which enables you to create tokens in your forms (that send the data) and the requests
(that pass the data; cookie is attached). This way, you will get to know whether the request was authenticated (from your own forms; validated ones) or was from any unknown source.
AntiForgery requires the Cookies to be enabled in your browser. For more on it, please read the Remarks on this MSDN documentation http://msdn.microsoft.com/en-us/library/system.web.helpers.antiforgery%28v=vs.111%29.aspx
So it doesn't ask you to add this AntiForgery validation process to all of your pages. You just need to add these to your web pages where you get the data from the user. Such as forms, where you login or register the users or get other sensitive data.
Dec 14, 2014 07:43 AM|abhilashba|LINK
That's exactly what i wanted to know. Thank you so much for the detailed explanation.