The tutorials I’ve read tell you to use [ValidateAntiForgeryToken] attributes and <%= Html.AntiForgeryToken() %>
in your code.
I was wondering why this isn’t a built-in automatic setting or at least a global toggle in the web.config. Perhaps it is, and I haven’t realised, but I am doing it by hand and I can’t help but wonder if there is a good reason for not handling it automatically behind the scenes. Any ideas?
4
I think in most cases it doesn’t really matter if a form was issued by your server or not.
Anti-forgery tokens require session state on the server. When a user session expires so will the forms they have open, they become unpostable. Can be pretty annoying.
1