1.5.4.Anti-forgery Tokens

Malicious page:
- If the hacker put image or IFrame and write a little bit JavaScript code, when the page is loaded, it will send HTTP request to our endpoint
- If user has an active session on our wibsite, these requests will be successfully executed on his behalf.
CSRF (Cross-Site Request Forgery)

2 step to prevent:

1.Add in client form
```
@Html.AntiForgeryToken()
```

2.Add in controller to validate

  [HttpPost]
  [ValidateAntiForgeryToken]
  public ActionResult Save(Customer customer)
  {
      if (!ModelState.IsValid)
      {
          var viewModel = new CustomerFormViewModel
          {
              customer = customer,
              MembershipTypes = _context.membershipType.ToList()
          };
          return View("CustomerForm", viewModel);
      }

      if (customer.Id == 0)
      {
          _context.Customers.Add(customer);
      }
      else
      {
          var customersInDb = _context.Customers.Single(c => c.Id == customer.Id);

          customersInDb.Name = customer.Name;
          customersInDb.Birthday = customer.Birthday;
          customersInDb.membershipTypeId = customer.membershipTypeId;
          customersInDb.IsSubscribeToNesletter = customer.IsSubscribeToNesletter;
      }
      _context.SaveChanges();
      return RedirectToAction("Index", "Customers");
  }

Previous1.5.3.Client side validation Next1.6. Building RESTful API

Last updated 4 years ago