ASP.NET Anti-Forgery Tokens With JSON Payloads

by Roopesh Shenoy on Oct 16, 2012 |

ASP.NET MVC has AntiForgeryToken helper that allow you to detect and block CSRF attacks using user-specific tokens. However when making primarily ajax requests or using javascript frameworks such as Knockout and Backbone which have JSON payloads, the approach needs to change a bit.

AntiForgeryToken helper works with Form posts by having a hidden field in the form with the token. ValidateAntiForgeryToken only looks at the Form values submitted. For making this work with a JSON request, you can use one of the following approaches -

All the above solutions rely on the setting the value of __RequestVerificationToken field directly. This field name is a constant used in the MVC framework.

To learn more about how ASP.NET MVC token helpers prevent CSRF attacks, you can read Steven Sandersons’ article introducing this. 

Related Editorial

Hello stranger!

You need to Register an InfoQ account or to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

cumbersome? by Simon S.

Looks cumbersome to use.
"For simple JQuery ajax posts, you can just create a separate form on every page with a field having the token and use it explicitly in your post requests"? Thats not "simple" anymore.
Why not use

$.ajaxSetup({
    headers: { "csrftoken": "myValue" }
});

and check the header instead?

And btw, do we still need to protect against csrf if we use cors?

Re: cumbersome? by Roopesh Shenoy

Mostly I'm misunderstanding this -

how will the "myValue" come? It has to come from the markup right? ASP.NET helpers allow a anti-forgery token to be generated using the AntiForgeryToken() helper, but it has to be called somewhere in the markup and your JavaScript will have to read that value from there. Correct me if I am wrong.

I'm not very familiar with CORS to comment - I read about the concepts but not sure about the security implications and how robustly it is implemented in all the browsers. Can you shed more light?

Re: cumbersome? by Simon S.

Regarding "myValue" you are correct. What I think is cumbersome is the fact that you can not use $.ajax() directly, but you have to add the token manually on every request. It would be easier to set the token once, and then call $.ajaxSetup and never care about the token ever again. But maybe we have different kinds of apps in mind. I think about 1 page js apps, maybe what you have in mind is something else?


I was not really familiar with cors either. I really asked because I didn't know the answer.
But after reading a bit [1] now I know that we need to protect against csrf even with cors.

[1]www.w3.org/TR/cors/#security

Re: cumbersome? by Roopesh Shenoy

What I think is cumbersome is the fact that you can not use $.ajax() directly


Ah, got you - yes, if it's a single Page App it will work. The above link was not referring to an SPA.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

4 comments

Educational Content

General Feedback
Bugs
Advertising
Editorial
 InfoQ.com and all content copyright © 2006-2013 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy