Home Razor and Antiforgery

Razor and Antiforgery

user1292
1#
user1292 Published in June 20, 2018, 1:31 am
 I recently came accros the following note on the Microsoft doc (https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery): Razor Pages are automatically protected from XSRF/CSRF. You don't have to write any additional code. See XSRF/CSRF and Razor Pages for more information. Pointing to this other page (https://docs.microsoft.com/en-us/aspnet/core/mvc/razor-pages/index?tabs=visual-studio#xsrf) where it says: You don't have to write any code for antiforgery validation. Antiforgery token generation and validation are automatically included in Razor Pages. I use Razor with my ASP.NET MVC application and also protect my forms with the AntiForgeryToken helpers. Because of the way the Antiforgery tokens are validated against each other (hidden field + cookie), my users must allow cookies on the website. I am now confused with what I read in the doc as it seems to say that I don't need to use the @Html.AntiForgeryToken() helper or the [ValidateAntiForgeryToken] attribute when using Razor...? As an additional question, is there a way to protect my site against CSRF attack without using the cookies?
 You need to login account before you can post.
Processed in 0.319984 second(s) , Gzip On .