Microsoft.AspNetCore.Antiforgery

Provides programmatic configuration for the antiforgery token system.

The default cookie prefix, which is ".AspNetCore.Antiforgery.".

Specifies the name of the cookie that is used by the antiforgery system.

If an explicit name is not provided, the system will automatically generate a unique name that begins with .

Specifies the name of the antiforgery token field that is used by the antiforgery system.

Specifies the name of the header value that is used by the antiforgery system. If null then antiforgery validation will only consider form data.

Specifies whether SSL is required for the antiforgery system to operate. If this setting is 'true' and a non-SSL request comes into the system, all antiforgery APIs will fail.

Specifies whether to suppress the generation of X-Frame-Options header which is used to prevent ClickJacking. By default, the X-Frame-Options header is generated with the value SAMEORIGIN. If this setting is 'true', the X-Frame-Options header will not be generated for the response.

The antiforgery token pair (cookie and request token) for a request.

Creates the antiforgery token pair (cookie and request token) for a request.

The token that is supplied in the request. The token that is supplied in the request cookie. The name of the form field used for the request token. The name of the header used for the request token.

Gets the request token.

Gets the name of the form field used for the request token.

Gets the name of the header used for the request token.

Gets the cookie token.

The that is thrown when the antiforgery token validation fails.

Creates a new instance of with the specified exception .

The message that describes the error.

Provides access to the antiforgery system, which provides protection against Cross-site Request Forgery (XSRF, also called CSRF) attacks.

Generates an for this request and stores the cookie token in the response.

The associated with the current request. An with tokens for the response. This method has a side effect: A response cookie is set if there is no valid cookie associated with the request.

Generates an for this request.

The associated with the current request. Unlike , this method has no side effect. The caller is responsible for setting the response cookie and injecting the returned form token as appropriate.

Asynchronously returns a value indicating whether the request passes antiforgery validation. If the request uses a safe HTTP method (GET, HEAD, OPTIONS, TRACE), the antiforgery token is not validated.

The associated with the current request. A that, when completed, returns true if the is requst uses a safe HTTP method or contains a value antiforgery token, otherwise returns false.

Validates an antiforgery token that was supplied as part of the request.

The associated with the current request. Thrown when the request does not include a valid antiforgery token.

Generates and stores an antiforgery cookie token if one is not available or not valid.

The associated with the current request.

Allows providing or validating additional custom data for antiforgery tokens. For example, the developer could use this to supply a nonce when the token is generated, then he could validate the nonce when the token is validated.

The antiforgery system already embeds the client's username within the generated tokens. This interface provides and consumes supplemental data. If an incoming antiforgery token contains supplemental data but no additional data provider is configured, the supplemental data will not be validated.

Provides additional data to be stored for the antiforgery tokens generated during this request.

Information about the current request. Supplemental data to embed within the antiforgery token.

Validates additional data that was embedded inside an incoming antiforgery token.

Information about the current request. Supplemental data that was embedded within the token. True if the data is valid; false if the data is invalid.

Used to hold per-request state.

Provides access to the antiforgery system, which provides protection against Cross-site Request Forgery (XSRF, also called CSRF) attacks.

A default implementation.

Default implementation of .

Generates and validates antiforgery tokens.

Generates a new random cookie token.

An .

Generates a request token corresponding to .

The associated with the current request. A valid cookie token. An .

Attempts to validate a cookie token.

A valid cookie token. true if the cookie token is valid, otherwise false.

Attempts to validate a cookie and request token set for the given .

The associated with the current request. A cookie token. A request token. Will be set to the validation message if the tokens are invalid, otherwise null. true if the tokens are valid, otherwise false.

Gets the cookie and request tokens from the request.

The for the current request. The .

This interface can extract unique identifers for a .

Extracts claims identifier.

The . The claims identifier.

The provided identity of type '{0}' is marked {1} = {2} but does not have a value for {3}. By default, the antiforgery system requires that all authenticated identities have a unique {3}. If it is not possible to provide a unique {3} for this identity, consider extending {4} by overriding the {5} or a custom type that can provide some form of unique identifier for the current user.

The provided antiforgery token failed a custom data check.

The provided antiforgery token was meant for a different claims-based user than the current user.

The antiforgery token could not be decrypted.

The antiforgery cookie token and request token do not match.

Validation of the provided antiforgery token failed. The cookie token and the request token were swapped.

The provided antiforgery token was meant for user "{0}", but the current user is "{1}".

The antiforgery system has the configuration value {0}.{1} = {2}, but the current request is not an SSL request.

The required antiforgery cookie "{0}" is not present.

The required antiforgery cookie token must be provided.

The required antiforgery form field "{0}" is not present.

The required antiforgery header value "{0}" is not present.

The required antiforgery request token was not provided in either form field "{0}" or header value "{1}".

The required antiforgery request token must be provided.

Value cannot be null or empty.

Extension methods for setting up antiforgery services in an .

Adds antiforgery services to the specified .

The to add services to. The so that additional calls can be chained.

Adds antiforgery services to the specified .

The to add services to. An to configure the provided . The so that additional calls can be chained.