What is the use of @Html.AntiForgeryToken()?

2020-02-17 06:19发布

问题:

Why we need to use @Html.AntiForgeryToken()? I searched but I didn't get satisfactory answer.

回答1:

This is a security feature to help protect your application against cross-site request forgery.

Example:

Lets assume you have a register functionality in your web app. You have an AccountController (somename.com/account/register) where you expect people to submit their info. Normally before someone posts the registration information needs to visit the actual (somename.com/account/register) than submit the form.

Let say I am a bad guy and I want to flood your server with junk info all I need to do is just keep posting directly to (somename.com/account/register) without visiting your site. So in order to stop me you implement AntiForgeryToken so you can make it sure I visited the page before I sumbbited the registration information.

An other example is (http://www.binaryintellect.net/articles/20e546b4-3ae9-416b-878e-5b12434fe7a6.aspx)



回答2:

This is to prevent Cross-site request forgery in your MVC application. This is part of the OWASP Top 10 and it is vital in terms of web security. Using the @Html.AntiforgeryToken() method will generate a token per every request so then no one can forge a form post.



回答3:

What is the use of @Html.AntiForgeryToken()?

Live - Scenario :

Suppose, you are logged into your bank account and are going to transfer some money to your friend. A hacker knows that you are logged in and also knows the URL of the money transfer submission. Suddenly, you get an email and check it. You see an image and by mistake, you click on that. Then, after a minute or so, you get another message that some amount has been deducted from your account. Actually, that image had been sent by the hacker and behind that image a URL has been submitted on your click.

So that we use AntiForgeryToken() in application prevent from hackers.