disabling antiforgerytoken__requestverificationtoken in beginumbracoform - Using Umbraco and getting started

Go to solution

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Phil Dye 149 posts 325 karma points

Feb 14, 2022 @ 14:34
0

Disabling AntiForgeryToken/__RequestVerificationToken in BeginUmbracoForm
To run a site behind a CDN, I need to disable the built-in anti-CSRF token stuff so that Html.BeginUmbracoForm() doesn't output the token.

How can I do that with v9?
- the underlying IHtmlHelper.BeginForm generates antiforgery tokens by default (source: https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1#aspnet-core-antiforgery-configuration)
- none of the methods described there for disabling the automatic generation are available
- I can mark my SurfaceController methods with IgnoreAntiforgeryToken, but the token is still generated in the form
- Umbraco Forms has a config setting for it (although I'm not yet convinced that's working because I still see the token)
I need to ensure there are no tokens, as my attempts to set Cache-Control headers are being overridden with a log warning;

The 'Cache-Control' and 'Pragma' headers have been overridden and set to 'no-cache, no-store' and 'no-cache' respectively to prevent caching of this response. Any response that uses antiforgery should not be cached

Phil
Copy Link

Phil Dye 149 posts 325 karma points

Feb 16, 2022 @ 15:08

I've eventually solved this by injecting my own IAntiforgery class that basically does nothing - very quick-and-dirty, but seems to do the job;

public class NullAntiforgery : IAntiforgery
{
    private const string AntiforgeryTokenFieldName = "__RequestVerificationToken";
    private const string AntiforgeryTokenHeaderName = "RequestVerificationToken";

    public AntiforgeryTokenSet GetAndStoreTokens(HttpContext httpContext) => new(string.Empty, string.Empty, AntiforgeryTokenFieldName, AntiforgeryTokenHeaderName);

    public AntiforgeryTokenSet GetTokens(HttpContext httpContext) => new(string.Empty, string.Empty, AntiforgeryTokenFieldName, AntiforgeryTokenHeaderName);

    public Task<bool> IsRequestValidAsync(HttpContext httpContext) => Task.FromResult(true);

    public void SetCookieTokenAndHeader(HttpContext httpContext)
    {
        return;
    }

    public Task ValidateRequestAsync(HttpContext httpContext) => Task.FromResult(true);
}

Copy Link

is working on a reply...

Please Sign in or register to post replies

Flag this post as spam?

Disabling AntiForgeryToken/__RequestVerificationToken in BeginUmbracoForm