ASP MVC anti forgery token question [duplicate]

This question already has answers 开发者_StackOverflow社区here: Does AntiForgeryToken in ASP.NET MVC prevent against all CSRF attacks? (2 answers) Closed 7 years ago.

This is a theoretical question.

Can someone, If he/she knows all about my post action (URL, parameters...), load one of my URLs, parse out the anti forgery token value, and call the previously mentioned post via ajax and get success?

Or, are this tokens somehow protected? I really don't know cause I'm just starting MVC really, and I want to be sure of my safety.

---

The tokens are to mitigate CSRF attacks, so if an attacker was able to get the token for a specific URL, get it into a web page and get you specifically to visit that web page within a specified time interval, then they could in theory carry out a successful CSRF attack against you. There's a lot of small probabilities involved in that and it would be a relatively inefficient attack since it has only one target in the simple case.

If I recall correctly (no way to check at present), the token contains encrypted data specific to one user, a datetime for a valid submission window and optionally a static salt string. This token value is put into a hidden input in the form and also into a cookie. When the form is submitted, the values are each decrypted and values of individual data compared. If they are the same, the request is deemed to have come from a known source.

The framework implementation is a perfectly good implementation, in my opinion of course, and will be fine for most applications.