Premise is simple - you need token to verify that this is you who is posting to the page and not somebody else posting for you.
Token is written to the form and to the cookie using HtmlHelper.AntiForgeryToken() helper, and when form is posted, controller will validate the token for the post action that has token validation attribute enabled:
There is a great article by Scott Gu about it:
http://weblogs.asp.net/dixin/archive/2010/05/22/anti-forgery-request-recipes-for-asp-net-mvc-and-ajax.aspx
Token is written to the form and to the cookie using HtmlHelper.AntiForgeryToken() helper, and when form is posted, controller will validate the token for the post action that has token validation attribute enabled:
[HttpPost] [ValidateAntiForgeryToken(Salt = Constants.AntiForgeryTokenSalt)]
There is a great article by Scott Gu about it:
http://weblogs.asp.net/dixin/archive/2010/05/22/anti-forgery-request-recipes-for-asp-net-mvc-and-ajax.aspx
