In this article I will explain with an example, what is AntiForgery Token and how to use it in ASP.Net Core MVC.
Note: For beginners in ASP.Net Core MVC, please refer my article ASP.Net MVC Core Hello World Tutorial with Sample Program example.
 
 
AntiForgery Token
Forgery means copying, imitating things an important thing in order to generate fake items which can deceive the authority, so that financial gains can be achieved.
In a website, forgery is done usually using a cross-site request forgery is an attack is done by sending harmful script element, malicious command, or code from the user’s browser.
AntiForgery Token is used to stop such practices or attacks in a website with the help of a unique token which is used to identify real server and real client.
 
 
Controller
The Controller consists of two Action methods.
Action method for handling GET operation
Inside this Action method, simply the View is returned.
 
Action method for handling POST operation
The Action method for POST operation accepts the values of First Name and Last Name sent from the View and it is assigned to a ViewBag object.
Attributes
The Action method is decorated with the following attributes.
HttpPost: The HttpPost attribute which signifies that the method will accept Http Post requests.
ValidateAntiForgeryToken: The ValidateAntiForgeryToken attribute is used to prevent cross-site request forgery attacks.
Note: A cross-site request forgery is an attack is done by sending harmful script element, malicious command, or code from the user’s browser.
 
public class HomeController : Controller
{
    public IActionResult Index()
    {
        return View();
    }
 
    [HttpPost]
    [ValidateAntiForgeryToken]
    public IActionResult Index(string firstName, string lastName)
    {
        ViewBag.Name = string.Format("Name: {0} {1}", firstName, lastName);
        return View();
    }
}
 
 
View
The View consists of an HTML Form which has been created using the Razor Tag attributes with the following attributes.
asp-action – Name of the Action. In this case the name is Index.
asp-controller – Name of the Controller. In this case the name is Home.
method – It specifies the Form Method i.e. GET or POST. In this case it will be set to POST.
The AntiForgery Token has been added to the View using the AntiForgeryToken function of the HTML Helper class.
Inside the Form, there are two TextBox fields created for capturing values for First Name and Last Name. Both TextBoxes have been specified with Name attribute which will be required to fetch the TextBox values inside the Controller.
There’s also a Submit Button at the end of the Form and when the Button is clicked, the Form is submitted.
Finally, the value of the ViewBag object is displayed using Razor syntax.
@addTagHelper*, Microsoft.AspNetCore.Mvc.TagHelpers
@{
    Layout = null;
}
 
<!DOCTYPE html>
 
<html>
<head>
    <meta name="viewport" content="width=device-width"/>
    <title>Index</title>
</head>
<body>
    <form method="post" enctype="multipart/form-data" asp-controller="Home" asp-action="Index">
        @Html.AntiForgeryToken()
        <table>
            <tr>
                <td>First Name: </td>
                <td><input type="text" id="txtFirstName" name="FirstName"/></td>
            </tr>
            <tr>
                <td>Last Name: </td>
                <td><input type="text" id="txtLastName" name="LastName"/></td>
            </tr>
            <tr>
                <td></td>
                <td><input type="submit" value="Submit"/></td>
            </tr>
        </table>
        <hr/>
        @ViewBag.Name
    </form>
</body>
</html>
 
 
Screenshot
ASP.Net Core: What is AntiForgery Token, how to use it
 
 
Downloads
Download Code