33

Is @Html.AntiForgeryToken() still required in ASP.NET .NET4.6 vNext?

The form decorations have changed to

<form asp-controller="Account" 
      asp-action="Login" 
      asp-route-returnurl="@ViewBag.ReturnUrl" 
      method="post" 
      class="form-horizontal" 
      role="form">

From this

@using (Html.BeginForm("Login", 
                       "Account", 
                       new { ReturnUrl = ViewBag.ReturnUrl }, 
                       FormMethod.Post, 
                       new { @class = "", role = "form" }))

And no longer include this

@Html.AntiForgeryToken()

The Controller Actions are still marked with the ValidateAntiForgeryToken attribute as expected though so where exactly is it coming from? Automagically?

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null)
matt.
  • 2,355
  • 5
  • 32
  • 43

1 Answers1

56

The form tag helper will automatically add the anti forgery token. (Unless you use it as a standard html form element, manually adding an action attribute). Check the source code of the form tag helper, you will see the following at the end of the Process method.

if (Antiforgery ?? antiforgeryDefault)
{
    var antiforgeryTag = Generator.GenerateAntiforgery(ViewContext);
    if (antiforgeryTag != null)
    {
        output.PostContent.AppendHtml(antiforgeryTag);
    }
}

If you check the html of the login page, you will see the following hidden input inside the form:

<input name="__RequestVerificationToken" type="hidden" value="CfDJ8BIeHClDdT9...">

You can also manually enable/disable it adding the asp-antiforgery attribute:

<form asp-controller="Account" asp-action="Register" asp-antiforgery="false" method="post" class="form-horizontal" role="form">
Daniel J.G.
  • 34,266
  • 9
  • 112
  • 112
  • 5
    As of MVC 6, Asp.net 5 RC1 the Tag Helper is "asp-antiforgery" not "asp-anti-forgery" not sure if it was already like that or changed.
    `
    `
     – Sunil Shahi Dec 01 '15 at 04:26
  • 1
    it also seems that the
    needs a separate closing tag
    for this attribute to generate. it does not seem to work with a self-closing form tag
    . maybe because self-closing form tags are not valid HTML5, in which case the lack of a compiler or even a runtime error is still annoying     – symbiont Mar 09 '22 at 15:01
  • You say `(Unless you use it as a standard html form element, manually adding an action attribute)` But what if the form points to itself with no action attribute at all? – nl-x Jul 04 '23 at 10:06