AutoValidateAntiForgeryToken vs. ValidateAntiForgeryToken

asp.net asp.net-core asp.net-core-mvc .net-core
11,526

Solution 1

From AutoValidateAntiforgeryTokenAttribute documentation:

An attribute that causes validation of antiforgery tokens for all unsafe HTTP methods. An antiforgery token is required for HTTP methods other than GET, HEAD, OPTIONS, and TRACE. It can be applied at as a global filter to trigger validation of antiforgery tokens by default for an application.

AutoValidateAntiforgeryTokenAttribute allows to apply Anti-forgery token validation globally to all unsafe methods e.g. POST, PUT, PATCH and DELETE. Thus you don't need to add [ValidateAntiForgeryToken] attribute to each and every action that requires it.

To use it add the following code to your ConfigureServices method of Startup class

services.AddMvc(options =>
{
    options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
});

If you need to ignore Anti forgery validation you can add [IgnoreAntiforgeryToken] attribute to the action.

Solution 2

You may sometimes find yourself in need of marking multiple requests across a controller, while requiring some requests to not require anti-forgery, such as various GET based actions. There are several tools you can use to help the process become more convenient and comfortable for the user. The first is the AutoValidateAntiforgeryToken attribute. It behaves similarly to the ValidateAntiForgeryToken attribute; however, it will automatically ignore actions which are called with the methods: GET, HEAD, OPTIONS, and TRACE, which are designed for data retrieval. This allows you to quickly and easily add anti-forgery to all methods which can change data, without affecting methods for retrieving data.

The following code is an example of the AutoValidateAntiforgeryToken attribute:

[AutoValidateAntiforgeryToken]
public class AntiForgeController : Controller
{
    public IActionResult Index()
    {
        return View();
    }
    [HttpPost]
    public IActionResult Index(string userName)
    {
        return View("Index", userName);
    }
    [HttpDelete]
    public IActionResult RemoveUser(string userName)
    {
        string url = string.Format("~/RemovedUser/{0}", userName);
        return RedirectToAction("Account", "RemoveUser", "User");
    }
}

In this example, the normal Index action (GET) will work regardless of origin, while both the Index action with a POST method and the RemoveUser action which is a DELETE method will both require the client to utilize anti-forgery tokens.

Share:
11,526
Arnold Zahrneinder
Author by

Arnold Zahrneinder

Zei tchewandergehte miezch schtutenawkenen vech ichtanspolzovalt. Technologunden verhnachthayete miezch schtwergte Java siender C#, funderhagte meizch utherwarzin lungunstenen tcherstwastender. Zurch tiech faldangenen enst debei machzen

Updated on June 26, 2022

Comments

  • Arnold Zahrneinder
    Arnold Zahrneinder almost 2 years

    I was trying to secure a post method against side scripting just now through providing an anti forgery token but noticed, in .Net Core there is another attribute named as AutoAntiForgeryToken. The XML comments, and the online search did not provide much info on this new attribute.

    Any help and description of what the new attribute is, will be much appreciated.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

HttpContext does not contain a definition for SignOutAsync
.NET Core Web API: multiple [FromBody]?
How to get absolute path in ASP.Net Core alternative way for Server.MapPath
Opening Visual Studio 2017 projects in Visual Studio 2015
Using the antiforgery cookie in ASP.NET Core but with a non-default CookieName
How to update Visual Studio 2017 Template from ASP.NET Core 2.0 to 2.1
Printing support in .net core
MultipartFormDataStreamProvider for ASP.NET Core 2
How to change App.config to json config file in .Net Core
Any way to restrict ASP.NET Core 2.0 HTTPS to TLS 1.2?