- Done automatically. That's what
[validateAntiForgeryToken]
attribute (filter) does. - That's not within the scope of the token; it's there just to prevent spam and some forms of hacking, not to encrypt data. if security is a concern, think of creating your own Data Annotation attribute coupled with a DisplayTemplate/EditorTemplate (then also a custom filter to pre-process the incoming value).
- Salt is like any form of encryption; it's there to make it more difficult to spoof incoming values. By using a salt you're adding another level of complication to the hash so decrypting now requires that value.
- Again, it's not there to encrypt your data, just to secure the form form misuse.
- Not sure what you mean--a dynamic salt? You can probably create a custom implementation (
ValidateMyAntiForgeryToken : ValidateAntiForgeryToken
).
Need some guide line for AntiForgeryToken use in MVC [closed]
-
29-06-2022 - |
Domanda
i am new in mvc. so i go through few article about AntiForgeryToken usage. AntiForgeryToken emit a encrypted value in page and when form post then encrypted value & cookie for AntiForgeryToken goes to server end and there compare two value to check the both are same or not. if not then a error is thrown.
i have few question on AntiForgeryToken
1) how comparision occur at server end. do i need to write any code to compare value or it is done automatically when action method having attribute like [ValidateAntiForgeryToken()] ?
[ValidateAntiForgeryToken()] public ActionResult Edit(ProductDetails productdetails) {
}
2) if i like to encrypt user id when page display then can write the code like @Html.AntiForgeryToken(m=> m.userid)
? if it is possible then when form will post then how can get the user id value from server side because user id would be encrypted.
3) what is salt concept people use ? how to implement salt concept with AntiForgeryToken()
?
4) can i put multiple AntiForgeryToken()
in single form for encrypting multiple sensitive data ? if not possible then please tell me the reason.
5) how can i make AntiForgeryToken()
encrypt value against a key....the key will be supplied by me and every time it will be dynamic ?
please give answer point wise. thanks
UPDATE
regarding dynamic salt
To generate a random string, use the RNGCryptoServiceProvider.
public string GenerateSalt(int length)
{
var rng = new RNGCryptoServiceProvider();
var buffer = new byte[length];
rng.GetBytes(buffer);
return Convert.ToBase64String(buffer);
}
if i call GenerateSalt() then it will always give a dynamic combinatio. that it.
Soluzione