Click here to Skip to main content
13,045,540 members (71,743 online)
Click here to Skip to main content
Add your own
alternative version


6 bookmarked
Posted 19 Sep 2012

Protect Your Form Postback with Anti-Forgery

, 19 Sep 2012
Rate this:
Please Sign up or sign in to vote.
Secure a web page postback from malicious exploits.

To secure a web page postback from malicious exploits, we can add a security token as a hidden field to the form or a cookie. When a postback is received, this token is validated to make sure that the request is not a cross-site request forgery.

When working with Razor Web Pages and WebMatrix, we can find a handy helper which provides this implementation right out of the box. The AntiForgery helper gives us the capability to create and validate the secured encrypted token by just using a couple of lines of code. This helper is found in the System.Web.Helpers.dll assembly, and it should be added automatically as a reference to your project in the bin folder.

To show you how to use this helper, open a web page on WebMatrix and add the following mark-up:

    // Validation token test during postback;
        catch(Exception ex)
            Page.SuccessMessage = "Token validated!";           
<!DOCTYPE html>
<html lang="en">
<div class="message-error">@Html.ValidationSummary()</div>
<div class="message-success">@Page.SuccessMessage</div>
<form method="post" action="">
    Full Name:<input type="text" name="username" id="username"/><br/>
    EMail:<input type="password" name="username" id="username"/><br/>
    <input type="submit" name="submit" value="Send"/>   

This is a simple contact page with two fields. This page is available to the public on the internet, and we would like to prevent any type of exploits. In order to do that, we have added this line of code in between the form tags:


If you look at the page source after it has rendered on the browser, you can see that a hidden field has been added:

The _RequestVerificationToken field contains an encoded encrypted token. In addition, a cookie with the same information has been created. This allows the helper to cross check the token in both the form and cookie.

To validate the token during the post back, we use this code:

catch(Exception ex)

The call to Validate() raises an exception if the token is not valid. At this point, the code can stop doing any additional logic and just present an error using the ValidationSummary method from the Html helper.  If the token is successfully validated, we check the ModelState.IsValid method and continue the intended logic which for this example is just adding the contact information to the system.

I hope you can find this helper very useful for your own implementation.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

ozkar garcia
Architect OG-BITechnologies
United States United States

You may also be interested in...

Comments and Discussions

GeneralMy vote of 5 Pin
Kanasz Robert20-Sep-12 1:35
mvpKanasz Robert20-Sep-12 1:35 
QuestionVS2010 and System.Web.Helpers.dll Pin
JBoada19-Sep-12 15:50
memberJBoada19-Sep-12 15:50 
AnswerRe: VS2010 and System.Web.Helpers.dll Pin
ozkar garcia20-Sep-12 8:09
memberozkar garcia20-Sep-12 8:09 
AnswerFormatting? Pin
Clifford Nelson19-Sep-12 8:21
memberClifford Nelson19-Sep-12 8:21 
AnswerRe: Formatting? Pin
Clifford Nelson19-Sep-12 10:33
memberClifford Nelson19-Sep-12 10:33 
GeneralRe: Formatting? Pin
ozkar garcia20-Sep-12 7:56
memberozkar garcia20-Sep-12 7:56 
This is good feedback. I could have used text and kept the formatting the same. I would need to update the blog feed.


General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.170713.1 | Last Updated 19 Sep 2012
Article Copyright 2012 by ozkar garcia
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid