ASP.NET Core Identity registration XSRF/CSRF protection

I’m learning core 3.1 with Razor pages. While watching tutorials on identity/authentication/authorization, a common example approach for user creation/registration form is to wrap some IsAdmin checkbox or user role selection dropdown box inside a @if(User.IsInRole(...)) block, to be bound and checked later in post handlers. This makes such that regular users can register as guests/customers etc, while admins can create other admin roles.

So naturally I’m thinking about potential XSRF/CSRF attack where someone can forge a form with those checkboxes/dropdowns to create these roles.

I learned that Razor pages have built-in antiforgerytoken enabled on all POST forms. My question is, is it enough to protect against such attacks?

I’m thinking I can put a secondary check in the page model code post handler, to check for currently logged in user again like this:

if (Input.Role == MyRole.Admin && User.IsInRole(MyRole.Admin))
    //Create admin user

Would this offer more protection for privileged role creation? Or is it redundant? If it is still insufficient, any other methods should be considered?


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

I don’t see a problem with checking for the user’s role for extra security but what you should do is to separate your actions i.e, an action must have only one purpose and then depending on what level of access each action needs you can decorate it with the Authorize attribute like this:

[Authorize(Roles = "Administrator, PowerUser")]
public class ControlPanelController : Controller
    public ActionResult Stuff()

    [Authorize(Roles = "Administrator")]
    public ActionResult DoAdminStuff()

See here MS Docs

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x