0

I have a Form with AntiforgeryToken() value in Mvc project. while submiting the form, it validated with their corresponding controller Post action ValidateAntiforgeryToken in MvC project.

It goes to confirmation page. In the confirmation having two button which having hidden Form , this will go to same Post action in previous above.I have added Html.Antiforgerytoken() in that two hidden forms. while clicking the button, we don't need to Form Post[page reload], instead of this Using Ajax post.

I have tried using Ajax post (using Antiforgerytoken) but it does not hit Post action. Shows 404 error.

Can you please suggest how to enable AntiforgryToken using Ajax post? For that what type of code handle and where do it add?

Form details:

 <form  method="post" action="">
     @Html.AntiForgeryToken()
     <input type="hidden" name="Name" value="@downloadInfo.Name" />
     <input type="hidden" name="Company" value="@downloadInfo.Company" />
     <input type="hidden" name="Email" value="@downloadInfo.Email" />
     <input type="hidden" name="Phone" value="@downloadInfo.Phone" />
 </form>

Ajax Post: 

$.ajax({     
    url: url,
    type: 'POST',
    data: JSON.stringify(Formdatas),
    contentType: 'application/json; charset=utf-8',
    beforeSend: showLoadingGraphic(id),
    success: onSuccessfulPost
});
Mikhail
  • 20,685
  • 7
  • 70
  • 146
Anandh
  • 167
  • 5
  • 15

2 Answers2

1

If you've received a 404 it's not from the token, you had an invalid URL or method. You are including your token in your ajax form post, so look by using the tool Fiddler what URL is being requested and fix that first.

I'm guessing your Ajax call using 'URL' is incorrect

Adam Tuliper
  • 29,982
  • 4
  • 53
  • 71
0

Try generating your form as it should (using the Html.BeginForm helper):

@using (Html.BeginForm("SomeAction", "SomeController", FormMethod.Post, new { id = "myForm" }))
{
    @Html.AntiForgeryToken()
    <input type="hidden" name="Name" value="@downloadInfo.Name" />
    <input type="hidden" name="Company" value="@downloadInfo.Company" />
    <input type="hidden" name="Email" value="@downloadInfo.Email" />
    <input type="hidden" name="Phone" value="@downloadInfo.Phone" />
}

and then:

var myForm = $('#myForm');
$.ajax({     
    url: myForm.attr('action'),
    type: myForm.attr('method'),
    data: myForm.serialize(),
    beforeSend: showLoadingGraphic(id),
    success: onSuccessfulPost
});

Now the antiforgery token and the hidden fields will be properly sent to the server.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • Hi Dimitrov, it working perfectly. but can you please explain reason removing the Contentype:Json and Data :Json.stringfy(myformdata.serialize()) – Anandh Apr 03 '13 at 07:35
  • The [`.serialize()`](http://api.jquery.com/serialize/) method takes all form input fields and formats them as `application/x-www-form-urlencoded` request which is the default when submitting a form without AJAX. So you don't need to set contentType to `JSON`. – Darin Dimitrov Apr 03 '13 at 07:54
  • Hi Dimitrov, greates for your help . can you explain what is the draw back while converting javascript object to Json notation[json.stringfy] in CSRF prevention. – Anandh Apr 04 '13 at 05:57
  • The `JSON.stringify` method takes a javascript object that you have to manually build. The `.serialize()` method takes all form input fields and does the job for you. Since you already have the hidden field containing the anti-forgery token it will be included in the request. With the `JSON.stringify` method you will have to extract this value yourself and I am not even sure that the server side helper will understand it. – Darin Dimitrov Apr 04 '13 at 06:27