Why AntiForgeryToken creates two different values in cookie and hidden field?

Topics: ASP.NET MVC
Apr 2, 2014 at 1:58 PM
Hi,

I am new to MVC, can some explain me why AntiForgeryToken creates two different values in cookie and hidden field and where it going validate those values.

Thanks,
Lakshman
Apr 4, 2014 at 5:51 AM
Hi Lakshman,

The short answer is that the two tokens encode different pieces of data. The cookie encodes a session identifier which is used to track this particular instance of the browser, while the form field is used to correlate the session identifier with an actual user. There is much more information about this available at http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages.