Is MVC AntiForgeryToken useless on public forms?

462 views Asked by At

I was told that there is no need to put the ValidateAntiForgery mechanism on our razor form because it's not behind authentication and is totally open to the public.

I thought I read somewhere that it should be used on all POSTs.

Which is correct?

1

There are 1 answers

0
Nathan Taylor On

There are a number of articles which can tell you when and where it is most appropriate to use the AntiForgeryToken. Here's a few:

The last one is explicit, the author recommends that you should use the feature for all forms. It will be generally beneficial to your entire website, provided that you care about the identity of your users.

If your users have no session, and there is nothing to be gained from hijacking their ASP.NET cookie, then the anti forgery token is not particularly useful.