I have a site which uses [ValidateAntiForgeryToken] and @Html.AntiForgeryToken() to create the AntiForgeryToken and it works. The issue I have though is if a potential hacker is able to access the session on the users computer, they can still use the valid token and make queries.
How do I prevent this?
If there isn’t a valid token then the form isn’t submitted and I get the error saying no valid token is assigned.
If you need more information, please let me know.