If the answer is yes then how would ASP.NET MVC find out that which token was linked to which form and how to validate it?
I've seen it is creating two separate tokens for each form.
There is nothing specific that you need to do in this case. ASP.NET MVC will simply reuse the same value for all forms so it doesn't need to know which form sent the request in order to validate it. Simply put an Html.AntiForgeryToken()
in each form and decorate each controller action you are posting to with the [ValidateAntiForgeryToken]
attribute and you should be OK.