There are multiple tags generated automatically in an ASP.NET MVC5 project such as
ValidateAntiForgeryToken
Thanks
When declaring a function with the HttpPost attribute what am I actually doing? Posting to the web server or returning data back to view?
Neither. When you declare an action method with this attribute:
[HttpPost]
public ActionResult SomeMethod(SomeModel model)
{
// code
}
What you're doing is indicating that requests should route to this method only if the request uses the POST HTTP verb. So users can't attempt to invoke this action by issuing a GET request, for example.
Whether or not HttpPost is "good practice" is entirely subjective. Use it when you want to restrict the HTTP verb which can invoke that method, don't use it when you don't want to make that restriction.
ValidateAntiForgeryToken is another attribute to use specifically when you want to enact a particular restriction. This works in conjunction with the @Html.AntiForgeryToken form element helper. Its purpose is to ensure that requests which validate the token are received by users who have received a token, which helps prevent request forgeries.
Basically, if you place a @Html.AntiForgeryToken in your view's form then it will create a unique value for that specific instance of that form. Then a form POST to any action method which validates the token will first check that the token is one that's been issued from the server before processing the request. That way users can't capture a form POST and replay it many times, because the server-issued token would need to be different each time.
The [HttpPost] attribute - Represents an attribute that is used to restrict an action method so that the method handles only HTTP POST requests - according to MSDN HttpPostAttribute
ActionName("action-name") is used to specify an alias for an action method. You can give a friendly name to your action method
ValidateAntiForgeryToken - see here: AntiForgeryTokenAttribute
Using the HttpGet/HttpPost attributes add clarity and are a good practice, but not mandatory. Typically the router will figure out the correct method to call, but adding the attribute will restrict which Action methods map to HTTP Methods. See this response for a more complete explanation: MVC [HttpPost/HttpGet] for Action
As for ValidateAntiForgeryToken, I would consider this mandatory, although many developers may omit it. It will prevent a cross-site forgery attack when used correctly. Explanations on the usage of the token and the attack can be found here:
http://en.wikipedia.org/wiki/Cross-site_request_forgery http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
