Is @Html.AntiForgeryToken()
still required in ASP.NET .NET4.6 vNext?
The form decorations have changed to
<form asp-controller="Account"
asp-action="Login"
asp-route-returnurl="@ViewBag.ReturnUrl"
method="post"
class="form-horizontal"
role="form">
From this
@using (Html.BeginForm("Login",
"Account",
new { ReturnUrl = ViewBag.ReturnUrl },
FormMethod.Post,
new { @class = "", role = "form" }))
And no longer include this
@Html.AntiForgeryToken()
The Controller Actions are still marked with the ValidateAntiForgeryToken
attribute as expected though so where exactly is it coming from? Automagically?
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null)
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…