Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Henrik Sunesen 84 posts 281 karma points
    Oct 22, 2021 @ 11:42
    Henrik Sunesen
    0

    Status Code: 400 on form submit

    Hi all!

    i'm getting a HTTP 400, when i'm trying to submit a form.

    My form markup is equal to the one in the documentation: https://our.umbraco.com/documentation/Fundamentals/Code/Creating-Forms/

    the method i'm trying to call is:

    [HttpPost] 
     public IActionResult SubmitCaseSearch(CaseSearchForm form)
        {
                // Do some magic
                return CurrentUmbracoPage();
    }
    

    I hope someone can help me here.

  • Frank Laumann 39 posts 303 karma points
    Oct 22, 2021 @ 12:53
    Frank Laumann
    0

    Hi Henrik

    Have you change the markup to call SubmitCaseSearch instead of submit?

    Other than that I don't see any problems.

    Best regards Frank

  • Henrik Sunesen 84 posts 281 karma points
    Oct 22, 2021 @ 13:01
    Henrik Sunesen
    0

    Hi Frank,

    Yes, my form looks like this:

     @using (Html.BeginUmbracoForm<SearchController>(nameof(SearchController.SubmitCaseSearch)))
    {
      @Html.AntiForgeryToken()
     //Form fields
    }
    

    I can see that people are talking about issues, with POST, antiforgery token and surface controllers in umbraco 9.

    https://github.com/umbraco/UmbracoDocs/issues/3242

    I've just tied removing:

     @Html.AntiForgeryToken()
    

    From the form, and now it works :)

  • Frank Laumann 39 posts 303 karma points
    Oct 22, 2021 @ 13:05
    Frank Laumann
    0

    Maybe you need this tag [ValidateAntiForgeryToken] for the AntiForgeryToken to work

  • Henrik Sunesen 84 posts 281 karma points
    Oct 25, 2021 @ 06:35
    Henrik Sunesen
    0

    That does not work out :/

    It's still giving me the 404 when i using:

    @Html.AntiForgeryToken() in the view, and [ValidateAntiForgeryToken] in the controller.

  • Henrik Sunesen 84 posts 281 karma points
    Oct 25, 2021 @ 07:25
    Henrik Sunesen
    0

    It looks like .core automaticly adds the AntiForgeryToken:

    Here is the sourcecode without: @Html.AntiForgeryToken() and [ValidateAntiForgeryToken]

    https://www.screencast.com/t/kMZf3SHB1VFD

  • Frank Laumann 39 posts 303 karma points
    Oct 25, 2021 @ 07:28
    Frank Laumann
    0

    Is the name of the Token (input) the same if you use @Html.AntiForgeryToken() ?

  • Henrik Sunesen 84 posts 281 karma points
    Oct 25, 2021 @ 08:56
    Henrik Sunesen
    0

    Yes, the name attribute is identical with and withour the @Html.AntiForgeryToken()

    (name="__RequestVerificationToken")

  • Stefan 3 posts 24 karma points
    Nov 02, 2021 @ 09:09
    Stefan
    0

    try use the following:

    adding the [FromForm]

     [HttpPost] 
     public IActionResult SubmitCaseSearch([FromForm] CaseSearchForm form)
      {
                // Do some magic
                return CurrentUmbracoPage();
      }
    
  • Henrik Sunesen 84 posts 281 karma points
    Nov 03, 2021 @ 06:52
    Henrik Sunesen
    0

    No, Stefan that did not help solving my issue :(

  • Rick Nieling - Perplex 5 posts 88 karma points
    Nov 25, 2021 @ 08:27
    Rick Nieling - Perplex
    0

    Hi Henrik,

    Did you ever find the solution to this? I am running into the same problem.

    I have a very basic form and surface controller, and without the antiforgery token they work perfectly. But when i include @Html.AntiForgeryToken() in the form i get a "status code 400: bad request" error. The entire surface controller method wont be executed and debug breakpoints in the method wont be reached.

    Perhaps it's a more general asp.net core 5 setting? When googling this issue i came across the following document. It seems that only adding [AutoValidateAntiforgeryToken] for basic post requests seems enough, without explicitly adding @Html.AntiForgeryToken() in the html form.

    Can anyone explain how this works exactly?

    https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-5.0

  • Patrick de Mooij 73 posts 623 karma points MVP 3x c-trib
    Nov 25, 2021 @ 08:33
    Patrick de Mooij
    0

    Hi Rick, I think this is because Umbraco automatically adds a AntiForgeryToken for you to the form. If you also have the @Html.AntiForgeryToken, then it'll suddenly have two tokens which causes issues.

    If you remove your @Html.AntiForgeryToken and then take a look at your HTML, you'll see that an AntiForgeryToken has already been added as an input.

  • Rick Nieling - Perplex 5 posts 88 karma points
    Nov 25, 2021 @ 08:37
    Rick Nieling - Perplex
    0

    Hi Patrick,

    Yes, an element with the name="__RequestVerificationToken" has been added to the HTML.

    So what would be the correct method for checking this token in the controller? [ValidateAntiForgeryToken] or[AutoValidateAntiforgeryToken]? Or something else entirely?

  • Patrick de Mooij 73 posts 623 karma points MVP 3x c-trib
    Nov 25, 2021 @ 08:39
    Patrick de Mooij
    1

    You don't have to do anything with it. If you look at the SurfaceController source code, you can see that there is already a [AutoValidateAntiforgeryToken] attribute on the whole class that'll validate it for you (https://github.com/umbraco/Umbraco-CMS/blob/v9/contrib/src/Umbraco.Web.Website/Controllers/SurfaceController.cs#L20)

  • Rick Nieling - Perplex 5 posts 88 karma points
    Nov 25, 2021 @ 08:52
    Rick Nieling - Perplex
    0

    Ahh i see! Thanks for the insights Patrick!

Please Sign in or register to post replies

Write your reply to:

Draft