Where exactly to put the antiforgeryToken

2024/2/27 8:11:17

I have a layout page that has a form with AntiForgeryToken

using (Html.BeginForm(action, "Account", new { ReturnUrl = returnUrl }, FormMethod.Post, new { Id = "xcrf-form" }))

This generates a hidden field

<input name="__RequestVerificationToken" type="hidden" value="p43bTJU6xjctQ-ETI7T0e_0lJX4UsbTz_IUjQjWddsu29Nx_UE5rcdOONiDhFcdjan88ngBe5_ZQbHTBieB2vVXgNJGNmfQpOm5ATPbifYE1">

In my angular view (that is loaded in a div in the layout page, I do this

<form class="form" role="form" ng-submit="postReview()">

And my code for postReview() is as follows

$scope.postReview = function () {var token = $('[name=__RequestVerificationToken]').val();var config = {headers: {"Content-Type": "multipart/form-data",// the following when uncommented does not work either//'RequestVerificationToken' : token//"X-XSRF-TOKEN" : token}}// tried the following, since my other MVC controllers (non-angular) send the token as part of form data, this did not work though$scope.reviewModel.__RequestVerificationToken = token;// the following was mentioned in some link I found, this does not work either$http.defaults.headers.common['__RequestVerificationToken'] = token;$http.post('/Review/Create', $scope.reviewModel, config).then(function (result) {// Successalert(result.data);}, function (error) {// Failurealert("Failed");});

My MVC Create method is as follows

    [HttpPost][ValidateAntiForgeryToken][AllowAnonymous]public ActionResult Create([Bind(Include = "Id,CommentText,Vote")] ReviewModel reviewModel){if (User.Identity.IsAuthenticated == false){// I am doing this instead of [Authorize] because I dont want 302, which browser handles and I cant do client re-directionreturn new HttpStatusCodeResult(HttpStatusCode.Forbidden);}// just for experimenting I have not yet added it to db, and simply returningreturn new JsonResult {Data = reviewModel, JsonRequestBehavior = JsonRequestBehavior.AllowGet};}

So no matter where I put the token, no matter what I use for 'Content-Type' (I tried application-json and www-form-urlencoded) I always get the error "The required anti-forgery form field "__RequestVerificationToken" is not present."

I even tried naming __RequestVerificationToken and RequestVerificationToken

Why does my server not find the damn token?

I also looked at couple of links that ask you to implement your own AntiForgeryToeknVerifyAttrbute and verify the token that is sent as cookieToken:formToken, I have not tried that but why I am not able to get it working whereas this works for the MVC controllers (non-angular posts)


Yes. By default, MVC Framework will check for Request.Form["__RequestVerificationToken"].

Checking the MVC source code

    public AntiForgeryToken GetFormToken(HttpContextBase httpContext){string value = httpContext.Request.Form[_config.FormFieldName];if (String.IsNullOrEmpty(value)){// did not existreturn null;}return _serializer.Deserialize(value);}

You need to create your own filter to check it from Request.Header

Code Snippet from Phil Haack's Article - MVC 3

private class JsonAntiForgeryHttpContextWrapper : HttpContextWrapper {readonly HttpRequestBase _request;public JsonAntiForgeryHttpContextWrapper(HttpContext httpContext): base(httpContext) {_request = new JsonAntiForgeryHttpRequestWrapper(httpContext.Request);}public override HttpRequestBase Request {get {return _request;}}
}private class JsonAntiForgeryHttpRequestWrapper : HttpRequestWrapper {readonly NameValueCollection _form;public JsonAntiForgeryHttpRequestWrapper(HttpRequest request): base(request) {_form = new NameValueCollection(request.Form);if (request.Headers["__RequestVerificationToken"] != null) {_form["__RequestVerificationToken"] = request.Headers["__RequestVerificationToken"];}
}public override NameValueCollection Form {get {return _form;}}
}[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
public class ValidateJsonAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter {public void OnAuthorization(AuthorizationContext filterContext) {if (filterContext == null) {throw new ArgumentNullException("filterContext");}var httpContext = new JsonAntiForgeryHttpContextWrapper(HttpContext.Current);AntiForgery.Validate(httpContext, Salt ?? string.Empty);}public string Salt {get;set;}// The private context classes go here

Check out here for MVC 4 implementation, to avoid salt issue

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class,AllowMultiple = false, Inherited = true)]
public sealed class ValidateJsonAntiForgeryTokenAttribute: FilterAttribute, IAuthorizationFilter
{public void OnAuthorization(AuthorizationContext filterContext){if (filterContext == null){throw new ArgumentNullException("filterContext");}var httpContext = filterContext.HttpContext;var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName];AntiForgery.Validate(cookie != null ? cookie.Value : null,httpContext.Request.Headers["__RequestVerificationToken"]);}

Related Q&A

Disable automatic date parsing with Google Scripts

Im using Google Scripts for some Google Spreadsheets magic and the automatic date parsing is driving me nuts! The sheet Im working with is littered with all sorts of date formats and I would much rathe…

How to rotate x-axis text in dimple.js?

This is my dimple bar chart (powered by d3):var sidechart = new dimple.chart(chart_svg, data);sidechart.setBounds(60, 30, 200, 300)var x = sidechart.addCategoryAxis("x", "Long name"…

TypeError: Handlebars.registerHelper is not a function

I am brand new to node and handlebars as of two days ago so bear with me. I am trying to use custom handlebars helpers but am not entirely sure where to put it.I keep getting "TypeError: Handlebar…

Why doesnt discriminated union work when I omit/require props?

I have a component which renders different elements based on a specific property, called type. It could have type definitions like this: interface CommonProps {size: lg | md | sm; }interface SelectInpu…

How to correctly unsubscribe from a socket.io room and destroy it?

I have an internal loop for each socket:if (!chat.room.list[hash]) { // room has expiredsocket.leave(hash);delete chat.user.list[socket.store.data.id].rooms[hash];delete socket.store.data.inRooms[hash]…

Setting document.body.className as a variable

This is my code to switch the class of my body tag when a user clicks a link.function switchBodyColor() {if (document.body.className == blue)document.body.className = red;else if (document.body.classNa…

Typeahead.js with clickable links

I want to implement a search with typeahead functionality on my site and followed the instructions here: http://twitter.github.io/typeahead.js/examples/#custom-templatesHowever, the examples all show t…

Javascript countdown for specific time and date

I am using a jQuery plugin to put the countdown timer in my webpage. Currently the code that controls what the timer displays is:<script type="text/javascript">var clock = $(.clock).Fli…

Marquee Text When Text Overflows

well heres my problem. Lets say i have 3 div tags, all are 100pixels wide:<--- DIV WIDTH ---> Text in div 1 Text in div two, it overflows Text in div three <--- DIV WIDTH --->Now, currently…

Calling variables defined in outer function from inner function with debugger

From the jQuery docs javascript guide: Because local scope works through functions, any functions definedwithin another have access to variables defined in the outer function:function outer() {var x = …