Last post Dec 01, 2017 11:27 AM by X.Daisy
Nov 30, 2017 05:39 PM|tridip1974|LINK
Nov 30, 2017 05:49 PM|mgebhard|LINK
When we submit form then antiforgery token related data stored in cookie and hidden field passed to server action method. I like know what server does to validate both data?
the same data is stored in cookie and hidden field?
how session is related to antiforgery data? Any antigorgery related data is stoted in session variable?
if cookie is disabled at client side then how antiforgery token will work?
The antiforgery framework compares a hidden field to a cookie. Session is not involved.
You can learn about the ASP antiforgery token framework in the reference documentation.
Dec 01, 2017 09:49 AM|X.Daisy|LINK
1.The anti-forgery support writes a unique value to an Http-only cookie. Then, the same value is set to a hidden form field. When submitting the form, ValidateAntiForgeryToken attribute will check these two value. If the form value can't match the cookie
value, it will raise an error.
2.Session is not required for anti-forgery token. Anti-forgery related data is stored in a Http-only cookie. You can check this
article for more details.
3.If cookie is disabled in browser, anti-forgery can't work correctly.
Here are some links about anti-forgery, you can also refer to them.
Dec 01, 2017 11:17 AM|tridip1974|LINK
tell me if cookie is disabled at client side then what will be option to work with Anti-forgery token?
Anti-forgery token throw error when cookie will be disabled at client side ?
Dec 01, 2017 11:27 AM|X.Daisy|LINK
It will just throw such error when you try to access the action with ValidateAntiForgeryToken attribute. Since it can't get this cookie's value.