I have developed and deployed an MVC5 .NET app which runs within an intranet and uses LDAP to authenticate users. Since MVC 5 gives you the @Html.Antiforgery() by default I used them in every from. However in production where the app is running in multiple nodes I'm having problems with the tokens when sessions expire etc.
So i was wondering if I should even be using them in the first place or if I could just remove them since the site runs on an intranet.
Best How To :
The mitigation for the clear GIF attack is to design your intranet site so that GET requests never update state or perform sensitive operations.
The mitigation for the script/post attack is to include a CSRF token in all of your forms.