You must Sign In to post a response.
  • Category: ASP.Net MVC

    Re: Cross Site Request Forgery using Challenge Token

    Hey Guys,
    I need to implement the challenge token for 'Cross Site Request Forgery' in my website which is developed using ASP.Net MVC 4.
    I can upgrade my site to MVC 5 or more.
    Did anyone has worked on Cross Site Request Forgery using Challenge Token where we need to generate a token from the server and then it will be embed to the current html/cshtml page and for each request, the token will be sent over to the server with this token.
    Can someone please give some idea of implementation. It will be great help for me.
    Please suggest some good sites otherwise where I can get the code snippet to implement it.
    Thanks in advance.
  • #764277
    Hai Guys,
    After some research, once again I found out the ways to do it. When the user post some content, the attacker can include some script to get the data.
    There are many ways through which we can prevent the Cross Site Request Forgery for our web application like:
    1. Use Secret Cookies
    2. URL Rewriting
    3. Token based in which the server generates the token and for each request the token will be sent from the client and will be verified by the server.
    Now if we just consider the token based authentication, we can generate the unique session for each request and the server will check for the current request, match the session key and verify the user.
    For our request(Post request), we can have the Html.AntiForgeryToken() included with the request so that it will generate the token automatically and embed with the current html page, at the server side we will validate the action method by providing [ValidateAntiForgeryToken] attribute so that for each of the request it will validate it.
    For more secure, we can have the name of the Token as:Html.AntiForgeryToken("MySecretKey") and at the server, we can have the same name like:
    We can also follow the below link for the implementation:

    Hope it will be helpful to you.

    Pawan Awasthi(DNS MVM)
    +91 8123489140 (whatsApp), +60 14365 1476(Malaysia)

  • Sign In to post your comments