Need some guide line for AntiForgeryToken use in MVC [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 7 years ago.

Improve this question

i am new in mvc. so i go through few article about AntiForgeryToken usage. AntiForgeryToken emit a encrypted value in page and when form post then encrypted value & cookie for AntiForgeryToken goes to server end and there compare two value to check the both are same or not. if not then a error is thrown.

i have few question on AntiForgeryToken

1) how comparision occur at server end. do i need to write any code to compare value or it is done automatically when action method having attribute like [ValidateAntiForgeryToken()] ?

[ValidateAntiForgeryToken()] public ActionResult Edit(ProductDetails productdetails) {

}

2) if i like to encrypt user id when page display then can write the code like @Html.AntiForgeryToken(m=> m.userid) ? if it is possible then when form will post then how can get the user id value from server side because user id would be encrypted.

3) what is salt concept people use ? how to implement salt concept with AntiForgeryToken() ?

4) can i put multiple AntiForgeryToken() in single form for encrypting multiple sensitive data ? if not possible then please tell me the reason.

5) how can i make AntiForgeryToken() encrypt value against a key....the key will be supplied by me and every time it will be dynamic ?

please give answer point wise. thanks

UPDATE

regarding dynamic salt

To generate a random string, use the RNGCryptoServiceProvider.

public string GenerateSalt(int length)
{
    var rng = new RNGCryptoServiceProvider();
    var buffer = new byte[length];
    rng.GetBytes(buffer);
    return Convert.ToBase64String(buffer);
}

if i call GenerateSalt() then it will always give a dynamic combinatio. that it.

Answer 1

1. Done automatically. That's what [validateAntiForgeryToken] attribute (filter) does.
2. That's not within the scope of the token; it's there just to prevent spam and some forms of hacking, not to encrypt data. if security is a concern, think of creating your own Data Annotation attribute coupled with a DisplayTemplate/EditorTemplate (then also a custom filter to pre-process the incoming value).
3. Salt is like any form of encryption; it's there to make it more difficult to spoof incoming values. By using a salt you're adding another level of complication to the hash so decrypting now requires that value.
4. Again, it's not there to encrypt your data, just to secure the form form misuse.
5. Not sure what you mean--a dynamic salt? You can probably create a custom implementation (ValidateMyAntiForgeryToken : ValidateAntiForgeryToken).