ValidateAntiForgeryToken is not working asp.net mvc with ajax post

Question

I have ASP.NET MVC 5 Application using .Net 4.5.1. The application has several jQuery ajax post method that POST data to server. To prevent cross-site request forgery (XSRF) i have added the following in _layout.cshtml

 @Html.AntiForgeryToken()

and also javascript which sends the token with all ajax POST in HttpHeader

$(document).ajaxSend(function (event, jqXHR, ajaxOptions) {
            if (ajaxOptions.type === 'POST') {
                jqXHR.setRequestHeader('__RequestVerificationToken', $('input[name="__RequestVerificationToken"]').val());
            }                
        });

and then in controller action method i have

    [ValidateAntiForgeryToken]        
    [HttpPost]
    public ActionResult Save(MyModel model)
    {
       //save and return json data
    }

However ValidateAntiForgeryToken thorwing exception

The required anti-forgery form field "__RequestVerificationToken" is not present.

i verified that __RequestVerificationToken is getting added to httpheader for every Ajax POST.

I have another application that was developed using ASP.NET Core and i have the same functionality there (Except the header name is RequestVerificationToken instead of __RequestVerificationToken) and its been working in ASP.NET Core.

Why the same is not working in ASP.NET MVC when token is included in header? Is there any difference ValidateAntiForgeryToken in ASP.NET Core vs ASP.NET MVC 5?

Possible duplicate of [jQuery Ajax calls and the Html.AntiForgeryToken()](http://stackoverflow.com/questions/4074199/jquery-ajax-calls-and-the-html-antiforgerytoken) — VahidN, Feb 24 '17 at 08:45
@VahidN it is not the same issue. I have gone through provided link before. — LP13, Feb 24 '17 at 15:47

score 1 · Answer 1 · answered Feb 24 '17 at 18:00

1

To fix your problem, everything remains same, except for setRequestHeader. Pass __RequestVerificationToken in request body

data: {
                __RequestVerificationToken: $('input[name="__RequestVerificationToken"]').val(),
                // Other properties of data
            },

answered Feb 24 '17 at 18:00

Kaushal

1,251
1
8
8

yes in asp.net mvc if i add to data then its working? however i guess in asp.net core it works whether you add in `data` or in `header`. To solve my issue i implemented custom ValidateAntiForgeryTokenAttribute. – LP13 Feb 24 '17 at 18:20
Asp.net core checks header and body both for token. – Kaushal Feb 24 '17 at 18:28

score 1 · Answer 2 · edited Feb 24 '17 at 19:32

To solve my issue i have implemented custom ValidateAntiForgeryToken. I have decided to include token in header.

I have several ajax POST method throughout application,So instead of adding it on each action method i want to validate it globally.
On client side i want to include the token implicitly for each ajax POST request. (application also has kendo grids which makes ajax post request to get data)
ajax post data could be json object or serialized form, which makes adding __RequestVerificationToken to data little bit tricky (not impossible), especially when i want to handle it globally.

So here is my complete code

Filter

public class ValidatePostAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
    {
        private const string _tokenKey = "__RequestVerificationToken";
        public void OnAuthorization(AuthorizationContext filterContext)
        {
            if (filterContext == null)
            {
                throw new ArgumentNullException("filterContext");
            }

            if (filterContext.HttpContext.Request.HttpMethod.ToUpper() == "POST")
            {
                if (filterContext.HttpContext.Request.IsAjaxRequest())
                {
                    if (filterContext.HttpContext.Request.Cookies.Get(_tokenKey) == null ||
                    filterContext.HttpContext.Request.Headers.Get(_tokenKey) == null)
                    {
                        throw new HttpPostAntiForgeryException("Invalid Verification Token.");
                    }

                    AntiForgery.Validate(filterContext.HttpContext.Request.Cookies[_tokenKey].Value, filterContext.HttpContext.Request.Headers[_tokenKey]);
                }                
            }
        }
    }

Exception

public sealed class HttpPostAntiForgeryException : HttpException
{
    public HttpPostAntiForgeryException()
    {
    }
    public HttpPostAntiForgeryException(string message) : base(message)
    {
    }
}

Add filter globally

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute() { Order = 0 });
        filters.Add(new ValidatePostAntiForgeryTokenAttribute() { Order = 1 });
    }
}

_layout.cshtml - js to add token

 $.ajaxPrefilter(function (options, originalOptions, jqXHR) {
                if (originalOptions.type === "POST")
                    jqXHR.setRequestHeader('__RequestVerificationToken', $('input[name="__RequestVerificationToken"]').val());
            });

Add token in _layout.cshtml

  @Html.AntiForgeryToken()

ValidateAntiForgeryToken is not working asp.net mvc with ajax post

2 Answers2