asp.net-mvc – 为什么validateantiforgerytoken cookie值和隐藏

The __RequestVaerificationToken hidden field contains a random component (matching the one in the cookie),but that’s not all. If the user is logged in,then the hidden field value will also contain their user name (obtained from HttpContext.User.Identity.Name and then encrypted).

[ValidateAntiForgeryToken] checks that this matches the logged-in user. This adds protection in the unlikely scenario where an attacker can somehow write (but not read) cookies on your domain to a victim’s browser and tries to reuse a token generated for a different user.