deploying AntiforgeryToken Error
One thing I noticed is that this error could be caused by having multiple @Html.AntiForgeryToken() pieces of code on the page. I had 2 on my page and once I removed the second one, this error went away.
One thing I noticed is that this error could be caused by having multiple @Html.AntiForgeryToken() pieces of code on the page. I had 2 on my page and once I removed the second one, this error went away.
You could try reading from the headers: var headers = actionContext.Request.Headers; var cookie = headers .GetCookies() .Select(c => c[AntiForgeryConfig.CookieName]) .FirstOrDefault(); var rvt = headers.GetValues(“__RequestVerificationToken”).FirstOrDefault(); AntiForgery.Validate(cookie != null ? cookie.Value : null, rvt); Note: GetCookies is an extension method that exists in the class HttpRequestHeadersExtensions which is part of System.Net.Http.Formatting.dll. It will most likely exist in … Read more
The Asp.net MVC AntiForgeryToken won’t work through HTTP GET, because it relies on cookies which rely on HTTP POST (it uses the “Double Submit Cookies” technique described in the OWASP XSRF Prevention Cheat Sheet). You can also additionally protect the cookies sent to the client by setting the as httponly, so they cannot be spoofed … Read more
I don’t know if you mean you are able to get the error on demand – or you’re seeing it in your logs but in any case here’s a way to guarantee an antiforgery token error. Wait for it… Make sure you’re logged out, then enter your login Double click on the login button You’ll … Read more
You could implement such authorization attribute: [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)] public sealed class ValidateAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter { public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation) { try { AntiForgery.Validate(); } catch { actionContext.Response = new HttpResponseMessage { StatusCode = HttpStatusCode.Forbidden, RequestMessage = actionContext.ControllerContext.Request }; return FromResult(actionContext.Response); } return continuation(); … Read more
You don’t need the ValidationHttpRequestWrapper solution since MVC 4. According to this link. Put the token in the headers. Create a filter. Put the attribute on your method. Here is my solution: var token = $(‘input[name=”__RequestVerificationToken”]’).val(); var headers = {}; headers[‘__RequestVerificationToken’] = token; $.ajax({ type: ‘POST’, url: ‘/MyTestMethod’, contentType: ‘application/json; charset=utf-8’, headers: headers, data: JSON.stringify({ … Read more
I use a simple js function like this AddAntiForgeryToken = function(data) { data.__RequestVerificationToken = $(‘#__AjaxAntiForgeryForm input[name=__RequestVerificationToken]’).val(); return data; }; Since every form on a page will have the same value for the token, just put something like this in your top-most master page <%– used for ajax in AddAntiForgeryToken() –%> <form id=”__AjaxAntiForgeryForm” action=”#” method=”post”><%= Html.AntiForgeryToken()%></form> … Read more