How to invalidate AntiForgeryToken Asp.Net MVC 3

Question

i have implemented AntiForgeryToken in my form. it is working. now i want to invalidate from out side just for testing purpose because i need to see what will happen when AntiForgeryToken will be tamper ?

so guide me how to invalidate/tamper my AntiForgeryToken to see what exception will be generated. also guide me how to capture that exception from action method and redirect user to a another page with friendly message.

couple of question about AntiForgeryToken

1) i also like to know in details how AntiForgeryToken works ?

2) does AntiForgeryToken generate unique value for each request ? if yes then why ?

3) a web site may have many pages. so just guide me with few example of those page or form where AntiForgeryToken need to implemented ?

4) can i write multiple AntiForgeryToken in a same form....if not why? looking for good discussion.

thanks

Answer 1

Invalidate by modifying or deleting the __RequestVerificationToken cookie before submitting the form.

1. I can't explain it better than Steve Sanderson.
2. Once the cookie is set it is reused over the user's browsing session. You can salt tokens and therefore have a different token for different forms. I don't see any reason not to apply it to all post forms and actions.
3. Any action that modifies state based on user input (a database, a user's session, ...) should definitely be protected using this technique.
4. Only one token is needed for one form to postback. Posting any more would not provide any additional security and may break MVC.