3

I do have SPA application that use some functionality of ASP.NET MVC4 like AntiForgeryToken.

I don't know how to implement AntiForgeryToken functionality in HTML without use of CSHTML which is not supported in Phonegap?

Radenko Zec
  • 7,659
  • 6
  • 35
  • 39

2 Answers2

3

I think there is a secure way to implement an anti-forgery token without a server generated page:

  1. Create a controller or web api method that sets an HTTP only cookie with your anti-forgery token value and returns the anti-forgery token value (as JSON). There is a public method AntiForgery.GetTokens() that is called by Html.AntiForgeryToken(). Use this method to read the token value in C# code.
  2. Call the controller or web api method (in step 1) from javascript in your phonegap app and take the returned anti-forgery token and add it to the form using javascript (use a hidden input field named _RequstVerificationToken).
  3. Submit the form to a method attributed with [ValidateAntiForgeryToken] and it should validate appropriately.

Microsoft has provided a very similar example implementation here (see section titled 'Anti-CSRF and AJAX').

On the surface this may seem insecure because you have a controller method that sets and returns the anti-forgery token, but web browsers enforce the same origin security policy, so XSRF attacks should not be possible.

Since phonegap uses local files it is not subject to the same origin policy (see here) so it will be able to make AJAX requests to any domain specified in your config.xml (see <access origin="..." /> here)

Community
  • 1
  • 1
gregjhogan
  • 2,095
  • 19
  • 21
2

The current implementation of the AntiForgery token in ASP.NET MVC relies on the HTML helper which generates a hidden input field and sets a cookie. If you cannot use this helper you will have to roll this functionality by yourself.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • Hi Darin. Thanks for your fast answer. Problem is if I want to deploy application to PhoneGap I cannot use ASP.NET MVC. Do you know how to implement this functionality without rely on server to generate HTML ? – Radenko Zec Feb 20 '13 at 13:41
  • You cannot implement this functionality without a server side script. This doesn't make any sense. The whole point of the antiforgery token is to have a server which generates this token. – Darin Dimitrov Feb 20 '13 at 13:48
  • OK. I have idea that I create simple HTML page that will make AJAX request to some method on ASP.NET WebAPI that will generate token and return it to client. Than I can use this token in my next request to WebAPI ? Something like that. What do you think ? – Radenko Zec Feb 20 '13 at 13:51
  • You cannot have a simple HTML page. You need to include some dynamic value into this HTML text that is generated by the server. – Darin Dimitrov Feb 20 '13 at 13:53
  • 1
    Yes but then it appears that I cannot use AntiForgeryToken functionality with PhoneGap... – Radenko Zec Feb 20 '13 at 13:55
  • Yes, that's exactly what I am telling you :-) – Darin Dimitrov Feb 20 '13 at 13:57