How to use MVC AntiForgeryToken with partial views

[Technokrat]

My question is more driven by what is the proper approach when dealing with partial views. Is there a token for each partial view, or the container as a whole?

Currently our form contains divs for 5 partial views. The user is responding to a list of certification questions, and based on responses 1 or more divs/partial views are displayed. Each partial view is accepted/declined (button select) and the form as a whole is submitted (button). Currently, each partial view has its own AntiForgeryToken and corresponding token validation in the controller (in the manner as you indicated).

With this approach we periodically see the System.Web.Mvc.HttpAntiForgeryException

If I have a form/view that will display 1 or more partial views based on user responses. Where do I need to place the AntiForgeryToken? In the parent view? In the partial views? Both?

My theory is that when multiple partial views are represented a mismatch of tokens occurs and the error is reported. My thinking is to move the token to the main/parent view.

Am I on the right track? Anybody had to deal with something similar?

 

[craigber]

You should only need one Anti-Forgery token per submit, so in your case, the partial views don't need them.

Craig Berntson
MCSD, Visual C# MVP,

http://www.craigberntson.com/blog