Home Razor and Antiforgery
Reply: 0

Razor and Antiforgery

user1292 Published in June 20, 2018, 1:31 am

I recently came accros the following note on the Microsoft doc (https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery):

Razor Pages are automatically protected from XSRF/CSRF. You don't have to write any additional code. See XSRF/CSRF and Razor Pages for more information.

Pointing to this other page (https://docs.microsoft.com/en-us/aspnet/core/mvc/razor-pages/index?tabs=visual-studio#xsrf) where it says:

You don't have to write any code for antiforgery validation. Antiforgery token generation and validation are automatically included in Razor Pages.

I use Razor with my ASP.NET MVC application and also protect my forms with the AntiForgeryToken helpers. Because of the way the Antiforgery tokens are validated against each other (hidden field + cookie), my users must allow cookies on the website.

I am now confused with what I read in the doc as it seems to say that I don't need to use the @Html.AntiForgeryToken() helper or the [ValidateAntiForgeryToken] attribute when using Razor...?

As an additional question, is there a way to protect my site against CSRF attack without using the cookies?

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.319984 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO