Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Ulf Möllerström 70 posts 247 karma points
    Jan 30, 2021 @ 14:12
    Ulf Möllerström
    0

    ValidateAntiForgeryToken lets any call through (UmbracoApiController)

    enter image description here

    I'm having a possibly "show stopper"-problem: The anti forgery validation isn't kicking in, and all calls are let through.

    I've tested from the view with a nonsense token and also empty from Postman.

  • Dan Diplo 1554 posts 6205 karma points MVP 6x c-trib
    Feb 01, 2021 @ 10:18
    Dan Diplo
    1

    The issue isn't really Umbraco but Web API, as it doesn't support Anti Forgery Tokens natively. My understanding is that these are cookie based so don't make sense in Web API.

    There are some workarounds, though:

    https://stackoverflow.com/questions/26620618/how-does-asp-net-validate-anti-forgery-token

  • Ulf Möllerström 70 posts 247 karma points
    Feb 01, 2021 @ 11:37
    Ulf Möllerström
    0

    Thanks' Dan!

  • Ulf Möllerström 70 posts 247 karma points
    Feb 01, 2021 @ 11:49
    Ulf Möllerström
    0

    For this project I just put this in the controller (for future reference).

    private static void ValidateRequestHeader(HttpRequest request)
    {
        var cookieToken = "";
        var formToken = "";
    
        if (request.Headers["RequestVerificationToken"] != null)
        {
            var tokens = request.Headers["RequestVerificationToken"].Split(':');
            if (tokens.Length == 2)
            {
                cookieToken = tokens[0].Trim();
                formToken = tokens[1].Trim();
            }
        }
        AntiForgery.Validate(cookieToken, formToken);
    }
    
    public static string TokenHeaderValue()
    {
        AntiForgery.GetTokens(null, out var cookieToken, out var formToken);
        return cookieToken + ":" + formToken;
    }
    

    Then in the view: enter image description here

    And then in js (that needs to be IE "compliant"): enter image description here

    Anti-CSRF and AJAX

Please Sign in or register to post replies

Write your reply to:

Draft