Any reason not to trust ASP.NET AntiForgeryToken?

Question

I know that Stack Exchange sites do not use the ASP.NET MVC built-in @Html.AntiForgeryToken() for the prevention of XSRF/CSRF attacks. Instead of creating a hid

Answer 1

The one limitation we ran into with the default implementation was the lack of out-of-the-box support for AJAX calls. The hidden field approach works for sites that primarily deal with traditional form POSTs; but, not quite for AJAX heavy sites like SO.

We implemented the approach outlined in this CodeThinked blog post and we couldn't be happier. It looks like Phil Haack also supports this approach, based on his oct 2011 blog post

Couple of (unsolicited, I know!) pointers:

1. if you are running a web-farm, you should, of course use a static machinekey in your Web.config
2. Make sure all your servers have this KB installed. Otherwise, you may run into machinekey validation issues