There are several techniques, which when used together provide a sufficient CSRF protection. Unique Token A single, session-specific token is good enough for most applications. Just make sure that your site doesn’t have any XSS vulnerabilities, otherwise any kind of token technique you employ is a waste. AJAX call to regenerate the token is a … Read more
The form tag helper will automatically add the anti forgery token. (Unless you use it as a standard html form element, manually adding an action attribute). Check the source code of the form tag helper, you will see the following at the end of the Process method. if (Antiforgery ?? antiforgeryDefault) { var antiforgeryTag = … Read more
It almost sounds as if things are working as expected. The way the anti forgery helper @Html.AntiForgeryToken() works is by injecting a hidden form field named __RequestVerificationToken into the page AND it also sets a cookie into the browser. When the form is posted back the two are compared and if they don’t match or … Read more
I’ve had and resolved several issues with ValidateAntiForgeryToken lately, so I’ll share my findings with you. Salt: Since you mention this only happens on a single page, my best guess is that you are using different salt values in your calls to Html.AntiForgeryToken(salt) and ValidateAntiForgeryToken(salt) calls. AJAX: as another answer has said, using AJAX may … Read more
There is nothing specific that you need to do in this case. ASP.NET MVC will simply reuse the same value for all forms so it doesn’t need to know which form sent the request in order to validate it. Simply put an Html.AntiForgeryToken() in each form and decorate each controller action you are posting to … Read more
I don’t know if you mean you are able to get the error on demand – or you’re seeing it in your logs but in any case here’s a way to guarantee an antiforgery token error. Wait for it… Make sure you’re logged out, then enter your login Double click on the login button You’ll … Read more
If you only have one or a few functions affected, creating a filter might be slightly technical overkill. A simpler but non generic solution is to simply remove the [ValidateAntiForgeryToken] for the specific method and add a manual validation after checking if the user is logged in. if (User.Identity.IsAuthenticated) { return RedirectToAction(“Index”, “Home”); } System.Web.Helpers.AntiForgery.Validate(); … Read more
You could implement such authorization attribute: [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)] public sealed class ValidateAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter { public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation) { try { AntiForgery.Validate(); } catch { actionContext.Response = new HttpResponseMessage { StatusCode = HttpStatusCode.Forbidden, RequestMessage = actionContext.ControllerContext.Request }; return FromResult(actionContext.Response); } return continuation(); … Read more
You don’t need the ValidationHttpRequestWrapper solution since MVC 4. According to this link. Put the token in the headers. Create a filter. Put the attribute on your method. Here is my solution: var token = $(‘input[name=”__RequestVerificationToken”]’).val(); var headers = {}; headers[‘__RequestVerificationToken’] = token; $.ajax({ type: ‘POST’, url: ‘/MyTestMethod’, contentType: ‘application/json; charset=utf-8’, headers: headers, data: JSON.stringify({ … Read more
I use a simple js function like this AddAntiForgeryToken = function(data) { data.__RequestVerificationToken = $(‘#__AjaxAntiForgeryForm input[name=__RequestVerificationToken]’).val(); return data; }; Since every form on a page will have the same value for the token, just put something like this in your top-most master page <%– used for ajax in AddAntiForgeryToken() –%> <form id=”__AjaxAntiForgeryForm” action=”#” method=”post”><%= Html.AntiForgeryToken()%></form> … Read more