Barry Dorrans created a filter for CSRF protection in ASP.NET. It's inspired by the ASP.NET MVC CSRF token approach. It's a simple and effective protection mechanism when you can't use the ViewStateUserKey because you've disabled ViewState. It doesn't...
ViewStateUserKey is not a completely effective mitigation against Cross-Site Request Forgery. It doesn't work for non post-backs (I.e. GET requests), and it doesn't work if the ViewState MAC is turned off. In several different places , we see a piece...