antiforgerytoken

问题 We are trying to make a MVC4 app with Oauth (Gmail) authorisation accessible via a WebAPi. We made a WebAPI controller that returns a list of data, but we cannot put the authorise attribute to work properly. Right now it is difficult to send the AntiForgeryToken correctly to the server and we get a session_requestverificationtoken error. Is there a good way to parse and post the correct antiforgery token via Webai? Or is there a better way to login via OAuth via a webapi? 回答1: Why are you

问题 Exists, in asp.net-core, a command similar to AntiForgery.Validate(); to validate antiforgery token in the action body? Code example in dotnet 4.5.1: public ActionResult Index() { if (!User.Identity.IsAuthenticated) { System.Web.Helpers.AntiForgery.Validate(); } // rest of action } 回答1: Antiforgery token validation can be done automatically using filter attributes in your controllers. Use [AutoValidateAntiforgeryToken] to validate the token on all "unsafe" methods. (Methods other than GET,

问题 I have separate frontend project in Angular 2 without using MVC and backend project is Web Api (Asp.Net Core) both are hosted on different domain. I implemented AntiForgery token functionality but it is not working. Frontend project (UI)- http://localhost:8080/ Backend project (Web Api) - http://localhost:4823/ I am able to receive and send XSRF-Token cookie in every request but api gives 400 Bad Request error. I followed this link- Angular2 ASP.NET Core AntiForgeryToken Startup.cs - public

问题 I am struggling to call my controller method with [ValidateAntiForgeryToken] attribute. My cshtml/js code : var wizardRegisterJsonRequest = { Email: email, Password: password, ConfirmPassword: confirmPassword, Name: name }; $.ajax({ type: 'POST', dataType: "html", url: 'http://localhost:50209/GetAllFonts/WizardRegister', data: AddAntiForgeryToken(wizardRegisterJsonRequest), beforeSend: function () { $('#create_account_form').data('busy', true); $('#create_account_busy').show(); }, success:

问题 I have a view that shows fine via firefox but not on IE11. It uses Datatables and 2 of the columns have buttons to toggle the status of some data displayed. These columns are very similar and one is like this.... @{ <td style="width: 18%"> @if ((ViewBag.UserIsAdmin == "1") && ("AV".Contains(Model[ix].Status[0])) ) { <span class="hidden_span">@Html.DisplayFor(modelItem => Model[ix].StockId)</span> string voidItemButtonCaption = String.Format("{0} {1}", ((Model[ix].Status[0] == 'A') ? "Void

问题 I works on an Asp.net MVC 5 project and know there is 2 way to pass the AntiForgeryToken to the server in ajax calls: Put it in Header Put it in Data I like putting AntiForgeryToken in request header and my codes works well both client and server side. I followed this article. I put the AntiForgeryToken in each $.ajax call header and it works nice But Now i decided write new codes to add AntiForgeryToken to all Ajax calls that have POST type in my page globally and remove the header setting

问题 I'm trying to embed a simple web app that will POST user input that is running asp.net Core 2.0 into an iframe. The problem I am having is that while embedded, the request headers that are being generated lack the cookie header that contains the .AspNetCore.Antiforgery.[token]. It is being generated as expected outside of the iframe. This is causing a 400 error because the post is unable to validate the token. Request Headers generated outside of iframe: Request Headers: NO IFRAME Request

问题 On my MVC3 site, I have a page that contains several links. These links all link back to a route on my site, with different ID values and are structured as such: ie: www.mysite.com/links/33351/3 I'd like to take advantage of the MVC3's antiforgerytoken mechanism so that I can ensure that all requests to www.mysite.com/links/33351/3 from the link index page. I'm familiar with how to add the token to a form, however these are all stand-alone links. How can I accomplish this? 回答1: You can't use

问题 We've just had some Penetration Testing carried out on an application we've built using ASP.NET MVC, and one of the recommendations that came back was that the value of the AntiForgeryToken in the Form could be resubmitted multiple times and did not expire after a single use. According to the OWASP recommendations around the Synchronizer Token Pattern: "In general, developers need only generate this token once for the current session." Which is how I think the ASP.NET MVC AntiForgeryToken

问题 I want to protect our login actions by AntiforgeryToken attribute - I know why the exception from the topic occurs, however I can't seem to find any good solution for it. Let say we have the following situations: It's 8:00 AM, application users are coming to work, they sit down and starting the login process - right now it is very possible that some of the users will get the same ValidationToken . After the first one logs in - all other will see the above exception (or some other custom