I'm trying mitigate CSRF issues for MVC application but facing issues while adding anti forgery token in following code in cshtml. Tried searching around but no concrete solution found.
Would appreciate any help..
<td class="ignoreClick"> @Ajax.ActionLink( "Delete","DeleteStudent","RqstProcessor", new { id = current.key }, new AjaxOptions { AllowCache = false, HttpMethod = "POST", UpdateTargetId = "StudentList", InsertionMode = InsertionMode.Replace, }, new { @class = "ignoreClick" } ) </td>
You could create a form with @Html.AntiForgeryToken() to generate html whose name is __RequestVerificationToken.
Finally I'm going to write an attribute that inherits from the ValidateAntiForgeryTokenAttribute and that accepts forgery tokens in both the
Request.Form and Request.QueryString
<script type="text/javascript">
$(document).ready(function () {
//Finding AntiForgeryToken input
var antiForgeryToken = $('input[name=__RequestVerificationToken]');
if (antiForgeryToken.length > 0) {
//Serializing AntiForgeryToken
var antiForgeryTokenSerialized = antiForgeryToken.serialize();
//For each anchor in page
$('a.ignoreClick').each(function (index, element) {
//Replace placeholder with serialized AntiForgeryToken
$(element).attr('href', $(element).attr('href').replace('__RequestVerificationToken=_', antiForgeryTokenSerialized));
});
}
});
</script>
in controller:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
public sealed class ValidateAjaxAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}
var httpContext = filterContext.HttpContext;
var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName];
AntiForgery.Validate(cookie != null ? cookie.Value : null, filterContext.HttpContext.Request.QueryString["__RequestVerificationToken"]);
}
}
[HttpPost]
[ValidateAjaxAntiForgeryToken]
public ActionResult DeleteStudent(int id)
{
...
}
Best Regards.
Yuki Tao
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
None
0 Points
1 Post
How to add antiforgery token for AJAX call in MVC application
Jun 14, 2019 02:00 PM|NetCurious|LINK
I'm trying mitigate CSRF issues for MVC application but facing issues while adding anti forgery token in following code in cshtml. Tried searching around but no concrete solution found.
Would appreciate any help..
<td class="ignoreClick">
@Ajax.ActionLink(
"Delete","DeleteStudent","RqstProcessor",
new
{
id = current.key
},
new AjaxOptions
{
AllowCache = false,
HttpMethod = "POST",
UpdateTargetId = "StudentList",
InsertionMode = InsertionMode.Replace,
},
new
{
@class = "ignoreClick"
}
)
</td>
Contributor
3660 Points
1431 Posts
Re: How to add antiforgery token for AJAX call in MVC application
Jun 17, 2019 07:13 AM|Yuki Tao|LINK
Hi NetCurious,
This link covers one solution http://tpeczek.com/2010/05/using-antiforgerytoken-with-other-verbs.html
You could create a form with @Html.AntiForgeryToken() to generate html whose name is __RequestVerificationToken.
Finally I'm going to write an attribute that inherits from the ValidateAntiForgeryTokenAttribute and that accepts forgery tokens in both the Request.Form and Request.QueryString
For example:
In view:
... @using (Html.BeginForm(null, null, FormMethod.Post)) { @Html.AntiForgeryToken() } @Ajax.ActionLink("Delete","DeleteStudent","Home",new {id = current.key,__RequestVerificationToken = "_" },new System.Web.Mvc.Ajax.AjaxOptions { AllowCache = false, HttpMethod = "POST", UpdateTargetId = "StudentList", InsertionMode = InsertionMode.Replace },new{@class = "ignoreClick"}) ...change href in <a>:
<script type="text/javascript"> $(document).ready(function () { //Finding AntiForgeryToken input var antiForgeryToken = $('input[name=__RequestVerificationToken]'); if (antiForgeryToken.length > 0) { //Serializing AntiForgeryToken var antiForgeryTokenSerialized = antiForgeryToken.serialize(); //For each anchor in page $('a.ignoreClick').each(function (index, element) { //Replace placeholder with serialized AntiForgeryToken $(element).attr('href', $(element).attr('href').replace('__RequestVerificationToken=_', antiForgeryTokenSerialized)); }); } }); </script>in controller:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)] public sealed class ValidateAjaxAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter { public void OnAuthorization(AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException("filterContext"); } var httpContext = filterContext.HttpContext; var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName]; AntiForgery.Validate(cookie != null ? cookie.Value : null, filterContext.HttpContext.Request.QueryString["__RequestVerificationToken"]); } }[HttpPost] [ValidateAjaxAntiForgeryToken] public ActionResult DeleteStudent(int id) { ... }Best Regards.
Yuki Tao
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.