In this article I will explain with an example, how to use AntiForgery Token in ASP.Net MVC.
Model
Following is a Model class named PersonModel with four properties i.e. PersonId, Name, Gender and City.
public class PersonModel
{
///<summary>
/// Gets or sets PersonId.
///</summary>
public int PersonId { get; set; }
///<summary>
/// Gets or sets Name.
///</summary>
public string Name { get; set; }
///<summary>
/// Gets or sets Gender.
///</summary>
public string Gender { get; set; }
///<summary>
/// Gets or sets City.
///</summary>
public string City { get; set; }
}
Controller
The Controller consists of two Action methods.
Action method for handling GET operation
Inside this Action method, simply the View is returned.
Action method for handling POST operation
The Action method for POST operation accepts an object of the PersonModel class as parameter. The values posted from the Form inside the View are received through this parameter.
Attributes
The Action method is decorated with the following attributes.
HttpPost: The HttpPost attribute which signifies that the method will accept Http Post requests.
ValidateAntiForgeryToken: The ValidateAntiForgeryToken attribute is used to prevent cross-site request forgery attacks.
Note: A cross-site request forgery is an attack is done by sending harmful script element, malicious command, or code from the user’s browser.
public class HomeController : Controller
{
// GET: Home
public ActionResult Index()
{
return View();
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Index(PersonModel person)
{
int personId = person.PersonId;
string name = person.Name;
string gender = person.Gender;
string city = person.City;
return View();
}
}
View
Inside the View, in the very first line the PersonModel class is declared as Model for the View.
The View consists of an HTML Form which has been created using the Html.BeginForm method with the following parameters.
ActionName – Name of the Action. In this case the name is Index.
ControllerName – Name of the Controller. In this case the name is Home.
FormMethod – It specifies the Form Method i.e. GET or POST. In this case it will be set to POST.
There are three TextBox fields created for capturing values for PersonId, Name and City using the Html.TextBoxFor method. While for capturing the Gender value, a DropDownList with three options is created using the Html.DropDownListFor function.
The AntiForgery Token has been added to the View using the AntiForgeryToken function of the HTML Helper class.
There’s also a Submit Button at the end of the Form and when the Button is clicked, the Form is submitted.
@model Form_Post_AntiForgery_MVC.Models.PersonModel
@{
Layout = null;
}
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width" />
<title>Index</title>
</head>
<body>
@using (Html.BeginForm("Index", "Home", FormMethod.Post))
{
@Html.AntiForgeryToken()
<table cellpadding="0" cellspacing="0">
<tr>
<th colspan="2" align="center">Person Details</th>
</tr>
<tr>
<td>PersonId: </td>
<td>
@Html.TextBoxFor(m => m.PersonId)
</td>
</tr>
<tr>
<td>Name: </td>
<td>
@Html.TextBoxFor(m => m.Name)
</td>
</tr>
<tr>
<td>Gender: </td>
<td>
@Html.DropDownListFor(m => m.Gender, new List<SelectListItem>
{ new SelectListItem{Text="Male", Value="M"},
new SelectListItem{Text="Female", Value="F"}}, "Please select")
</td>
</tr>
<tr>
<td>City: </td>
<td>
@Html.TextBoxFor(m => m.City)
</td>
</tr>
<tr>
<td></td>
<td><input type="submit" value="Submit" /></td>
</tr>
</table>
}
</body>
</html>
Screenshots
The Form
![Using AntiForgery Token in ASP.Net MVC]()
Values captured in Controller when Form is submitted
![Using AntiForgery Token in ASP.Net MVC]()
Downloads
