Press Ctrl / CMD + C to copy this to your clipboard.
This post will be reported to the moderators as potential spam to be looked at
I'm having a possibly "show stopper"-problem: The anti forgery validation isn't kicking in, and all calls are let through.
I've tested from the view with a nonsense token and also empty from Postman.
The issue isn't really Umbraco but Web API, as it doesn't support Anti Forgery Tokens natively. My understanding is that these are cookie based so don't make sense in Web API.
There are some workarounds, though:
https://stackoverflow.com/questions/26620618/how-does-asp-net-validate-anti-forgery-token
Thanks' Dan!
For this project I just put this in the controller (for future reference).
private static void ValidateRequestHeader(HttpRequest request) { var cookieToken = ""; var formToken = ""; if (request.Headers["RequestVerificationToken"] != null) { var tokens = request.Headers["RequestVerificationToken"].Split(':'); if (tokens.Length == 2) { cookieToken = tokens[0].Trim(); formToken = tokens[1].Trim(); } } AntiForgery.Validate(cookieToken, formToken); } public static string TokenHeaderValue() { AntiForgery.GetTokens(null, out var cookieToken, out var formToken); return cookieToken + ":" + formToken; }
Then in the view:
And then in js (that needs to be IE "compliant"):
Anti-CSRF and AJAX
is working on a reply...
Write your reply to:
Upload image
Image will be uploaded when post is submitted
ValidateAntiForgeryToken lets any call through (UmbracoApiController)
I'm having a possibly "show stopper"-problem: The anti forgery validation isn't kicking in, and all calls are let through.
I've tested from the view with a nonsense token and also empty from Postman.
The issue isn't really Umbraco but Web API, as it doesn't support Anti Forgery Tokens natively. My understanding is that these are cookie based so don't make sense in Web API.
There are some workarounds, though:
https://stackoverflow.com/questions/26620618/how-does-asp-net-validate-anti-forgery-token
Thanks' Dan!
For this project I just put this in the controller (for future reference).
Then in the view:
And then in js (that needs to be IE "compliant"):
Anti-CSRF and AJAX
is working on a reply...