XSRF Cross Site Request Forgery attack - ASP.NET MVC

This is a note on the topic that I've been meaning to write for a very long time. I'm a bit old, been around a bit and have worked with a whole range of people. The interesting thing about the XSRF is that I hardly hear it mentioned in the work place. I hope other folk have a better experience. But we just seem to be getting on with the list of functional requirements in time for the next deadline. Perhaps that why it's not talked about enough but it is probably the most 'popular' security vector being exploited by the nasty people.

A quick intro.

In simple terms:

1. A friendly person A visits our happy site Happy.com and logs in. 
2. Happy.com site authenticates him and gives him a cookie so that every time he visits us we know he's a good guy.
3. Unknowingly, friendly guy A visits a bad site Evil.com.
4. Evil site Evil.com will sneakily return a malicious form tag that will request to our Happy.com site. This malicious code will be allowed to access our server because it is attached to the authentication cookie we gave him and we think that it has already been authenticated.
5. Bad things can happen.

This works because the authentication cookie is being transported with the request. 

The only way to prevent this is to ensure the form is created by the good user. We use an antiForgery token to help here. 

In the View we put the anti forgery helper:

<% using (Html.BeginForm()) {%>

    <% = Html.AntiForgeryToken() %>

In the controller action we use the ValidateAntiForgeryToken attribute:

[ValidateAntiForgeryToken]

[AcceptVerbs(HttpVerbs.Post)]

public ActionResult Edit(int id, 

With this asp.net creates a crypto token that can't be created by the Evil user.