Class AspNetAntiForgery

Integrates the cross-site request forgery prevention with ASP.NET

Inheritance

System.Object

AspNetAntiForgery

Inherited Members

System.Object.ToString()

System.Object.Equals(System.Object)

System.Object.Equals(System.Object, System.Object)

System.Object.ReferenceEquals(System.Object, System.Object)

System.Object.GetHashCode()

System.Object.GetType()

System.Object.MemberwiseClone()

Namespace: EPiServer.Framework.Web

Assembly: EPiServer.Framework.dll

Version: 8.11.0

Syntax

public class AspNetAntiForgery

Constructors

AspNetAntiForgery(HttpRequestBase, HttpResponseBase)

Initializes a new instance of the AspNetAntiForgery class.

Declaration

public AspNetAntiForgery(HttpRequestBase request, HttpResponseBase response)

Parameters

Type	Name	Description
System.Web.HttpRequestBase	request	The request object.
System.Web.HttpResponseBase	response	The response object.

AspNetAntiForgery(Page)

Initializes a new instance of the AspNetAntiForgery class.

Declaration

public AspNetAntiForgery(Page page)

Parameters

Type	Name	Description
System.Web.UI.Page	page	The page.

Properties

CookieName

Gets the name of the anti-forgery cookie.

Declaration

public string CookieName { get; }

Property Value

Type	Description
System.String	The name of the token.

Remarks

This name is used both to identify the cookie as well as the hidden field.

FieldName

Gets the name of the form field where to store the XSRF validation data.

Declaration

public string FieldName { get; }

Property Value

Type	Description
System.String	The name of the field.

HeaderName

Gets the name of the header where to store the XSRF validation data.

Declaration

public string HeaderName { get; }

Property Value

Type	Description
System.String	The name of the header.

Methods

CreateValidationField(ClientScriptManager)

Adds the hidden anti-forgery field to a Web Forms page.

Declaration

public void CreateValidationField(ClientScriptManager scriptManager)

Parameters

Type	Name	Description
System.Web.UI.ClientScriptManager	scriptManager	The script manager for the current page.

Remarks

If the request is not authenticated, this method does nothing.

CreateValidationToken()

Creates the validation token based on cookie.

Declaration

public string CreateValidationToken()

Returns

Type	Description
System.String	The validation token.

Remarks

This method will return empty string if the request is not authenticated.

The anti-forgery cookie will be created if it does not exist.

RemoveCookie()

Removes the anti-forgery cookie.

Declaration

public void RemoveCookie()

Remarks

Call this on login/logout to ensure we have a new session.

ValidateField()

Validates the current request by checking that the hidden field can be validated with the cookie data.

Declaration

public void ValidateField()

ValidateToken(String)

Validates the string representation of the token against the anti-forgery cookie.

Declaration

public void ValidateToken(string token)

Parameters

Type	Name	Description
System.String	token	The validation data.

Remarks

This is primarily used in a non-WebForms scenario. For Web Forms you should call ValidateField instead.