Barry Dorrans created a filter for CSRF protection in ASP.NET. It's inspired by the ASP.NET MVC CSRF token approach. It's a simple and effective protection mechanism when you can't use the ViewStateUserKey because you've disabled ViewState. It doesn't...
Edit: I realized I didn't mention the multitude of other ways to discourage CSRF including re-authentication, CAPTCHA, referrer checking, etc. This article deals only with the "secret token" approach to stopping CSRF. CSRF ( Cross-Site Request Forgery...
ViewStateUserKey is not a completely effective mitigation against Cross-Site Request Forgery. It doesn't work for non post-backs (I.e. GET requests), and it doesn't work if the ViewState MAC is turned off. In several different places , we see a piece...