From the course: ASP.NET MVC 5 Identity: Authentication and Authorization

Unlock the full course today

Join today to access over 22,500 courses taught by industry experts or purchase this course individually.

Vulnerability: Cross-site request forgery (CSRF)

Vulnerability: Cross-site request forgery (CSRF)

From the course: ASP.NET MVC 5 Identity: Authentication and Authorization

Start my 1-month free trial

Vulnerability: Cross-site request forgery (CSRF)

- [Instructor] The default authentication in ASP.NET MVC 5 is achieved through cookies. Incoming requests are automatically checked for the authentication information, and user sessions are resolved before arriving to the control. User authorization is as simply applied by adding the authorizer tribute to the controller or action method. ASP.NET MVC 5 comes with built-in feature to stop CSRF attacks, where CSRF stands for cross-site request forgery. It's a filter called ValidateAntiForgeryToken and it's implemented by default in the account controller. If you scroll down to the login method, you will see that the login method has the ValidateAntiForgeryToken attribute, which is used to prevent from these kinds of attacks. For the filter to work, it needs an implementation on the client side that creates a unique token which is sent with a request to the server. If the token is missing or incorrect, the request is rejected. Since it's not stored in the cookie, but sent fresh in every…

Contents