0

In ASP.NET web forms, viewstate data is hashed and a hidden input is added to form to validate when receiving a request. So if a malicious user decides and alters the viewstate an error occurs when the form send back to application.

Is there such facility available (as an attribute or else) built in to ASP.NET Core MVC forms specially unobtrusive Ajax forms?

Thank you.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
mz1378
  • 1,957
  • 4
  • 20
  • 40
  • I think asp.net mvc action method, you need to declare ValidateAntiForgeryToken attribute – jalil Mar 03 '19 at 11:00
  • It only works for AntiForgery attack prevention, I Changed the value of one of the hiddens using Javascript and the method executed, despite I am applied AntiForgery attribute to the method and I can see the token when inspecting rendered html using F12. – mz1378 Mar 03 '19 at 20:57

1 Answers1

0

You can use annotations, ValidateAntiForgeryToken attribute is to prevent cross-site request forgery attacks:

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Logout()
{
    // ...
    return View();
}

Need some guide line for AntiForgeryToken use in MVC

Rúben Rodrigues
  • 1
  • 3