If I add multiple forms in a single page, do I need to add separate Anti-Forgery Tokens in each form?

asp.net-mvc antiforgerytoken
neebz picture neebz · May 4, 2011 · Viewed 11.6k times · Source

If the answer is yes then how would ASP.NET MVC find out that which token was linked to which form and how to validate it?

I've seen it is creating two separate tokens for each form.

Answer

Darin Dimitrov picture Darin Dimitrov · May 4, 2011

There is nothing specific that you need to do in this case. ASP.NET MVC will simply reuse the same value for all forms so it doesn't need to know which form sent the request in order to validate it. Simply put an Html.AntiForgeryToken() in each form and decorate each controller action you are posting to with the [ValidateAntiForgeryToken] attribute and you should be OK.

Related questions

jQuery Ajax calls and the Html.AntiForgeryToken()

I have implemented in my app the mitigation to CSRF attacks following the informations that I have read on some blog post around the internet. In particular these post have been the driver of my implementation Best Practices for ASP.…

Read More
How can I supply an AntiForgeryToken when posting JSON data using $.ajax?

I am using the code as below of this post: First I will fill an array variable with the correct values for the controller action. Using the code below I think it should be very straightforward by just adding the …

Read More
Troubleshooting anti-forgery token problems

I have a form post that consistently gives me an anti-forgery token error. Here is my form: @using (Html.BeginForm()) { @Html.AntiForgeryToken() @Html.EditorFor(m => m.Email) @Html.EditorFor(m => m.Birthday) <p> <input type="…

Read More