I still don't understand how the Anti-forgery Token works in MVC. From the MSDN.
Anti-Forgery Tokens
To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens.
- The client requests an HTML page that contains a form.
- The server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values.
- When the client submits the form, it must send both tokens back to the server. The client sends the cookie token as a cookie, and it sends the form token inside the form data. (A browser client automatically does this when the user submits the form.)
- If a request does not include both tokens, the server disallows the request.
Here is an example of an HTML form with a hidden form token:
<form action="/Home/Test" method="post">
<input name="__RequestVerificationToken" type="hidden"
value="6fGBtLZmVBZ59oUad1Fr33BuPxANKY9q3Srr5y[...]" />
<input type="submit" value="Submit" />
My question is that since we can find the hidden token value easily by looking the source code (F12 in any browser). Then can we manually set the cookie by going to the Developer Tools (Ctrl-Shift-J or Tools -> Developer Tools) -> Console and the you can enter javascript command:
document.cookie="keyofcookie=valueofcookie"?
Then we cam manually set the tokens same therefore to disable Anti Forgery technology?