AntiForgery
Provides access to the anti-forgery system, which provides protection against Cross-site Request Forgery (XSRF, also called CSRF) attacks.
Assembly: ServiceStack.Razor.dll
View Source
public static class AntiForgery
Methods
GetHtml()
Generates an anti-forgery token for this request. This token can be validated by calling the Validate() method.
This method has a side effect: it may set a response cookie.
View Source
public static MvcHtmlString GetHtml()
Returns
ServiceStack.Html.MvcHtmlString: An HTML string corresponding to an <input type="hidden"> element. This element should be put inside a <form>.
This method has a side effect: it may set a response cookie.
GetTokens(String, out String, out String)
Generates an anti-forgery token pair (cookie and form token) for this request. This method is similar to GetHtml(), but this method gives the caller control over how to persist the returned values. To validate these tokens, call the appropriate overload of Validate.
Unlike the GetHtml() method, this method has no side effect. The caller is responsible for setting the response cookie and injecting the returned form token as appropriate.
View Source
public static void GetTokens(string oldCookieToken, out string newCookieToken, out string formToken)
Parameters
| Type | Name | Description |
|---|---|---|
System.String | oldCookieToken | The anti-forgery token - if any - that already existed |
for this request. May be null. The anti-forgery system will try to reuse this cookie value when generating a matching form token.
Unlike the GetHtml() method, this method has no side effect. The caller is responsible for setting the response cookie and injecting the returned form token as appropriate.
|
| System.String | newCookieToken | Will contain a new cookie value if the old cookie token
was null or invalid. If this value is non-null when the method completes, the caller
must persist this value in the form of a response cookie, and the existing cookie value
should be discarded. If this value is null when the method completes, the existing
cookie value was valid and needn't be modified.
Unlike the GetHtml() method, this method has no side effect. The caller is responsible for setting the response cookie and injecting the returned form token as appropriate.
|
| System.String | formToken | The value that should be stored in the <form>. The caller
should take care not to accidentally swap the cookie and form tokens.
Unlike the GetHtml() method, this method has no side effect. The caller is responsible for setting the response cookie and injecting the returned form token as appropriate.
|
Validate()
Validates an anti-forgery token that was supplied for this request. The anti-forgery token may be generated by calling GetHtml().
Throws an HttpAntiForgeryException if validation fails.
View Source
public static void Validate()
Validate(String, String)
Validates an anti-forgery token pair that was generated by the GetTokens method.
Throws an HttpAntiForgeryException if validation fails.
View Source
public static void Validate(string cookieToken, string formToken)
Parameters
| Type | Name | Description |
|---|---|---|
System.String | cookieToken | The token that was supplied in the request cookie. |
Throws an HttpAntiForgeryException if validation fails.
|
| System.String | formToken | The token that was supplied in the request form body.
Throws an HttpAntiForgeryException if validation fails.
|