antiforgerytoken

Trying to turn on anti forgery in core mvc project but with no luck. What was done: Filter added to automatically check anti forgery token on every POST request. services.AddMvc(o => { o.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()); }); Token generation was added to each page this way. @inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Antiforgery; @{ var antiforgeryRequestToken = Antiforgery.GetAndStoreTokens(Context).RequestToken; } ... ... <script> var antiforgeryToken = @Json.Serialize(antiforgeryRequestToken); </script> And finally each client ajax request adds

I'm creating a page that makes multiple AJAX form posts without a page refresh. I would like to use the ASP.NET MVC HTML.AntiForgeryToken() helper to secure the form against CSRF attacks. I think that each form on the page can share the same token, but will it allow multiple requests with the same token? If not is there a way to get a new token or some other way to secure the forms? Ofer Zelig You can share the same token. Of course, as a general rule, it's highly recommended to wrap your Ajax calls in a unified method that concatenates the CSRF token to the request (be it GET or POST although

When we have more than one possible form to post to the controller on the same cshtml page, the Antiforgery validation does not work. We went through the MVC3 code and we found the problem is in this part of the code: if (!String.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal)) { // error: form token does not match cookie token throw CreateValidationException(); } The cshtml that we have is something like this: @using (@Ajax.BeginForm()) { @Html.AntiForgeryToken() <input type="submit" class="buttonBlue" value="form1" /> } @using (@Ajax.BeginForm()) { @Html.AntiForgeryToken

We recently updated our solution to MVC 2, and this has updated the way that the AntiForgeryToken works. Unfortunately this does not fit with our AJAX framework any more. The problem is that MVC 2 now uses symmetric encryption to encode some properties about the user, including the user's Name property (from IPrincipal ). We are able to securely register a new user using AJAX, after which subsequent AJAX calls will be invalid as the anti forgery token will change when the user has been granted a new principal. There are also other cases when this may happen, such as a user updating their name

I am currently working on an ASP.NET MVC project and came upon an error that seemed peculiar. In the ASP.NET MVC Templates forms always get an AntiForgeryToken (thus leading me to believe that this is a best practice). However AntiForgeryTokens don't seem to work well with caching. For example when I open a site with a form including an AntiForgeryToken and I duplicate the browser window both windows have the exact same AntiForgeryToken leading to an exception when posting the form. This problem does not exist when caching is disabled (via ActionFilter NoCache, see Disable browser cache for

We're writing an iOS mobile app in objective-c that makes posts to our ASP.NET MVC server app. On iPhone, the HTTP stack (and cookies etc) appear to be shared with Safari. This leaves us open to XSRF attacks, so unless I'm mistaken we need to protect the POSTs with anti-forgery tokens and protect our controller methods with ValidateAntiForgeryTokenAttribute . I'll qualify this question by saying that I don't properly understand the mechanism by which the antiforgery tokens are generated and verified... in particular, the term 'nonce' used in this context is somewhat mystical. Because we're not

I am playing around with ASP vnext and AngularJS. I have set up a Web API, am using some controllers and am using angular to do some web-magic. I have followed most of this guide to get my project up and running: http://stephenwalther.com/archive/2015/01/29/asp-net-5-and-angularjs-part-6-security ... which works fine. I have set up my db and such and I have things working. I have the identity framework set up too but I am not using it as of yet. I want to post some data to the WebAPI. Which also works fine, but now I want to do it while using anti forgery tokens. I have googled a lot and I

In a web page we provide a hyperlink (GET) that the User may click on to authenticate: @Html.ActionLink("Please Login", "MyMethod", "MyController") This maps to the following controller method which returns a View: [RequireHttps] public ActionResult MyMethod() { return this.View(new MyModel()); } This View contains the Form in which the User supplies their credentials; the Form contains the required AntiForgeryToken. When the User submits the form, the following Controller method is called: [HttpPost] [RequireHttps] [ValidateAntiForgeryToken] public ActionResult MyMethod(MyModel model) { // my