Skip to content
Simple CSRF token using HMAC for authentication and integrity. Targets .NET 4.6 and .NET Standard 1.3.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Simple CSRF token using HMAC for authentication and integrity.

What does this do?

This is intended as an alternative to Microsoft's AntiForgeryToken, but not necessarily a drop-in replacement.

Why would I use this?

As you may or may not know, validating an AntiForgeryToken requires that the MachineKey be synchronized across all servers. This might not be desirable or possible from a configuration standpoint, and crypto can be computationally expensive. This library generates a token that will work across different or random machine keys and should not require a lot of power to validate.

Token Format

The token format looks something like this:

(random data)(split)(userId)(split)(expiryTime)(split)(hmac of previous data)

Finally, the token is converted to Base64 so it can be passed through however you like as a developer. The value userId may not map to an userId in your application. It could be a user name, Guid, etc.


This package allows you to create an instance or simply invoke statically. Here's an example of each:


string token = AntiCSRFToken.GenerateToken(username, key);
bool isValid = AntiCSRFToken.ValidateToken(token, key, username);


var instance = new AntiCSRF();
string token = instance.GenerateToken(username, key);
bool isValid = instance.ValidateToken(token, key, username);

Each method can also accept a discrete configuration as a parameter, represented by the AntiCSRFConfig class. This allows you to set the token expiry time, HMAC algorithm, split character, or disable Base64 conversion.


I welcome any and all suggestions or improvements to the codebase. Thanks for dropping by and hope you find a good use for this library!

You can’t perform that action at this time.