It is my understanding that the anti forgery token concept is sent as part of html (like in a hidden form field), but what if a mobile client app wants to use the API to login and register etc…? I’m not sure what to do, do I disable the forgery token altogether? It would be nice to keep it since it is also a website that uses the API.
Specifically I’m using MVC 4, and I’m looking at the AccountController that ships with the default template… It has a ValidateAntiForgeryToken attribute on Login…? Does it assume that you will always login via a html web page form?
Concept of anti forgery token is to embed a hidden field with value generated by framework ( for POST requests) or attach it to url address ( GET requests ). The value is then validated on server side.
Default template assume that you will be using login via html web page. If you want to create an app that use API you’ve got to set your own authorization mechanizm. If your app use your online site in it’s mobile version you don’t have to change anything.