AntiXsrf: Use of cookieToken without formToken


I didn’t find a dedicated category and selected the most close one, for my opinion.

The AntiForgery() class provides two validate methods: (1) parameterless and (2) accepting cookieToken and formToken.

Does (2) requires both token to perform validation? I intend to use either of them and have no way to preserve both.

Thank you,

You can use the parameterless one, here’s an example:

In your Razor page embed the token in your Form:

<form action="/antiforgery/test" method="POST">
    <input name="Field" value="Test"/>        
    <input type="submit"/>

Which you can then validate in your Service:

public class AntiForgeryTest
    public string Field { get; set; }

public class AntiForgeryService : Service
    public object Any(AntiForgeryTest request)

Thank you.

We use a different approach in displaying UI in our SPA. It doesn’t involve dynamic creation of views. Therewhy we cannot embed a token into client page and like to use a cookie token only.

Does your answer mean that there is no support in antiXsrf cookie token along?

Yes it requires both formToken and cookieToken to perform the validation.