This is an old question, but the latest Visual Studio 2012 ASP.NET template for web forms includes anti CSRF code baked into the master page. If you don't have the templates, here's the code it generates:

这是一个老问题，但用于 Web 表单的最新 Visual Studio 2012 ASP.NET 模板包含嵌入母版页的反 CSRF 代码。如果您没有模板，下面是它生成的代码：

Protected Sub Page_Init(sender As Object, e As System.EventArgs)


    ' The code below helps to protect against XSRF attacks
    Dim requestCookie As HttpCookie = Request.Cookies(AntiXsrfTokenKey)
    Dim requestCookieGuidValue As Guid
    If ((Not requestCookie Is Nothing) AndAlso Guid.TryParse(requestCookie.Value, requestCookieGuidValue)) Then
        ' Use the Anti-XSRF token from the cookie
        _antiXsrfTokenValue = requestCookie.Value
        Page.ViewStateUserKey = _antiXsrfTokenValue
    Else
        ' Generate a new Anti-XSRF token and save to the cookie
        _antiXsrfTokenValue = Guid.NewGuid().ToString("N")
        Page.ViewStateUserKey = _antiXsrfTokenValue

        Dim responseCookie As HttpCookie = New HttpCookie(AntiXsrfTokenKey) With {.HttpOnly = True, .Value = _antiXsrfTokenValue}
        If (FormsAuthentication.RequireSSL And Request.IsSecureConnection) Then
            responseCookie.Secure = True
        End If
        Response.Cookies.Set(responseCookie)
    End If

    AddHandler Page.PreLoad, AddressOf master_Page_PreLoad
End Sub

Private Sub master_Page_PreLoad(sender As Object, e As System.EventArgs)


    If (Not IsPostBack) Then
        ' Set Anti-XSRF token
        ViewState(AntiXsrfTokenKey) = Page.ViewStateUserKey
        ViewState(AntiXsrfUserNameKey) = If(Context.User.Identity.Name, String.Empty)
    Else
        ' Validate the Anti-XSRF token
        If (Not DirectCast(ViewState(AntiXsrfTokenKey), String) = _antiXsrfTokenValue _
            Or Not DirectCast(ViewState(AntiXsrfUserNameKey), String) = If(Context.User.Identity.Name, String.Empty)) Then
            Throw New InvalidOperationException("Validation of Anti-XSRF token failed.")
        End If
    End If
End Sub

Implementing it yourself is not too difficult.

自己实现并不太难。

• Generate a GUID
• Put it in a hidden field
• Also put it in Session or Cookie (in the latter case, with some anti-tamper protection)
• At the start of processing the form compare the field and stored token.

• 生成 GUID
• 把它放在一个隐藏的领域
• 也把它放在 Session 或 Cookie 中（在后一种情况下，有一些防篡改保护）
• 在开始处理表单时，比较字段和存储的令牌。

(If you look at the implementation of MVC, there is very little more to it. A few helper methods is all you need.)

（如果您查看 MVC 的实现，就会发现它的内容很少。您只需要一些辅助方法。）

The C# version of Ian Ippolito answer here:

Ian Ippolito 的 C# 版本在这里回答：

public partial class SiteMaster : MasterPage
{
    private const string AntiXsrfTokenKey = "__AntiXsrfToken";
    private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
    private string _antiXsrfTokenValue;

    protected void Page_Init(object sender, EventArgs e)
    {
        // The code below helps to protect against XSRF attacks
        var requestCookie = Request.Cookies[AntiXsrfTokenKey];
        Guid requestCookieGuidValue;
        if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
        {
            // Use the Anti-XSRF token from the cookie
            _antiXsrfTokenValue = requestCookie.Value;
            Page.ViewStateUserKey = _antiXsrfTokenValue;
        }
        else
        {
            // Generate a new Anti-XSRF token and save to the cookie
            _antiXsrfTokenValue = Guid.NewGuid().ToString("N");
            Page.ViewStateUserKey = _antiXsrfTokenValue;

            var responseCookie = new HttpCookie(AntiXsrfTokenKey)
            {
                HttpOnly = true,
                Value = _antiXsrfTokenValue
            };
            if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
            {
                responseCookie.Secure = true;
            }
            Response.Cookies.Set(responseCookie);
        }

        Page.PreLoad += master_Page_PreLoad;
    }

    protected void master_Page_PreLoad(object sender, EventArgs e)
    {
        if (!IsPostBack)
        {
            // Set Anti-XSRF token
            ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
            ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;
        }
        else
        {
            // Validate the Anti-XSRF token
            if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
                || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
            {
                throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
            }
        }
    }

    protected void Page_Load(object sender, EventArgs e)
    {

    }
}

WebForms has a pretty similar analog in Page.ViewStateUserKey. By setting that to a per-user value(most choose HttpSessionState.SessionId), WebForms will validate the ViewState¹as part of the MAC check.

WebForms 在Page.ViewStateUserKey 中有一个非常相似的模拟。通过将其设置为每个用户的值（大多数选择HttpSessionState.SessionId），WebForms 将验证 ViewState ¹作为MAC 检查的一部分。

 overrides OnInit(EventArgs e) {
     base.OnInit(e);
     ViewStateUserKey = Session.SessionId;
 }

¹There are scenarios where ViewStateUserKey will nothelp. Mainly, they boil down to doing dangerous things with GET requests (or in Page_Load without checking IsPostback), or disabling ViewStateMAC.

¹有场景中ViewStateUserKey会不会帮助。主要是，它们归结为使用 GET 请求（或在没有检查 IsPostback 的情况下在 Page_Load 中）做危险的事情，或者禁用 ViewStateMAC。

You can use reflection to get at the MVC methods used to set the cookie and matching form input used for the MVC validation. That way you can have an MVC action with [AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken]attributes that you can post to from a WebForms generated page.

您可以使用反射来获取用于设置 cookie 和用于 MVC 验证的匹配表单输入的 MVC 方法。这样，您就可以拥有一个带有[AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken]属性的 MVC 操作，您可以从 WebForms 生成的页面发布这些属性。

See this answer: Using an MVC HtmlHelper from a WebForm

请参阅此答案：使用 WebForm 中的 MVC HtmlHelper