I recently came accros the following note on the Microsoft doc (https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery):
Razor Pages are automatically protected from XSRF/CSRF. You don't have to write any additional code. See XSRF/CSRF and Razor Pages for more information.
Pointing to this other page (https://docs.microsoft.com/en-us/aspnet/core/mvc/razor-pages/index?tabs=visual-studio#xsrf) where it says:
You don't have to write any code for antiforgery validation. Antiforgery token generation and validation are automatically included in Razor Pages.
I use Razor with my ASP.NET MVC application and also protect my forms with the AntiForgeryToken helpers. Because of the way the Antiforgery tokens are validated against each other (hidden field + cookie), my users must allow cookies on the website.
I am now confused with what I read in the doc as it seems to say that I don't need to use the
@Html.AntiForgeryToken() helper or the
[ValidateAntiForgeryToken] attribute when using Razor...?
As an additional question, is there a way to protect my site against CSRF attack without using the cookies?