Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
i read about how to use the <@Html.AntiForgeryToken()> to generate an encrypted value in a hidden field, which will also match another value that is stored as a session cookie in the user’s browser.
But my questions are:-
1. will the value in the session cookie be encrypted also,
2. and if yes then how the [ValidateAntiforgeryToken] on the action controller will know how to decrypt both values and match them?
BR
Yes. It represents a token. And it’s the same value as the one used for the hidden field. Actually it’s the
Html.AntiForgeryToken()helper that does 2 things. It generates the token and puts renders it in a hidden field and it also sets a cookie with the same value.It uses the same encryption/decryption algorithm that classic WebForms use to encrypt/decrypt ViewState. It’s a symmetric encryption algorithm based on the machine keys. That’s why if you are running in a web farm you should ensure that you have the same machine keys across all nodes because if an anti forgery token was generated and encrypted on one node of the web farm it might not be able to be decrypted on another node when the POST request is sent if the machine keys do not match.