Creates an anti-forgery token that prevents cross site scripting attacks.

To use embed the code generated by this method into the page like this:

<%= Process.AddAntiForgeryToken(.T.) %>

which creates a hidden form field with a validation token. When the form is submitted it also adds a cookie with the token.

In your code when accepting a POST you can then check the validation token with which compares the post value against the cookie and timeout:

IF (Request.IsPostback() AND !Process.CheckValidationToken(900))
    this.ErrorDisplay.ShowError("Invalid Request.")

* ... go on processing your submit logic

The number provided is a timeout in seconds and determines how long this validation token is valid for - in this case 15 minutes.


Return Value

Token Id or if llAsHtml is .T. an HTML string of a hidden input field.


If .T. returns a full HTML hidden input element as a string. If .F. only the ID is returned.


This mechanism uses an HttpOnly local domain cookie to store a validation code that must be matched by a hidden input field value. The input field value and cookie share a common id value, that when compared should match. Since the HttpOnly cookie is valid only for the originating domain it's very difficult to spoof this request unless someone actually submits the request on the same domain and then captures the cookie.

This mechanism protects only from cross-site script attacks, it does not prevent remote post operations using an HTTP client if the actual valid cookie and request value are provided. In other words this is only meant to prevent cross-site script attacks not potential replay attacks which can be done within the timeout window. Therefore using a shortish timeout for lnTimeoutSeconds on CheckValidationToken() for tokens is a good idea.

See also:

Class wwProcess | wwProcess::CheckAntiForgeryToken

© West Wind Technologies, 1996-2018 • Updated: 06/29/18
Comment or report problem with topic