BT

Your opinion matters! Please fill in the InfoQ Survey!

ASP.NET Anti-Forgery Tokens With JSON Payloads

| by Roopesh Shenoy  Followers on Oct 16, 2012. Estimated reading time: less than one minute |

A note to our readers: As per your request we have developed a set of features that allow you to reduce the noise, while not losing sight of anything that is important. Get email and web notifications by choosing the topics you are interested in.

ASP.NET MVC has AntiForgeryToken helper that allow you to detect and block CSRF attacks using user-specific tokens. However when making primarily ajax requests or using javascript frameworks such as Knockout and Backbone which have JSON payloads, the approach needs to change a bit.

AntiForgeryToken helper works with Form posts by having a hidden field in the form with the token. ValidateAntiForgeryToken only looks at the Form values submitted. For making this work with a JSON request, you can use one of the following approaches -

All the above solutions rely on the setting the value of __RequestVerificationToken field directly. This field name is a constant used in the MVC framework.

To learn more about how ASP.NET MVC token helpers prevent CSRF attacks, you can read Steven Sandersons’ article introducing this. 

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

cumbersome? by Simon S.

Looks cumbersome to use.
"For simple JQuery ajax posts, you can just create a separate form on every page with a field having the token and use it explicitly in your post requests"? Thats not "simple" anymore.
Why not use

$.ajaxSetup({
headers: { "csrftoken": "myValue" }
});

and check the header instead?

And btw, do we still need to protect against csrf if we use cors?

Re: cumbersome? by Roopesh Shenoy

Mostly I'm misunderstanding this -

how will the "myValue" come? It has to come from the markup right? ASP.NET helpers allow a anti-forgery token to be generated using the AntiForgeryToken() helper, but it has to be called somewhere in the markup and your JavaScript will have to read that value from there. Correct me if I am wrong.

I'm not very familiar with CORS to comment - I read about the concepts but not sure about the security implications and how robustly it is implemented in all the browsers. Can you shed more light?

Re: cumbersome? by Simon S.

Regarding "myValue" you are correct. What I think is cumbersome is the fact that you can not use $.ajax() directly, but you have to add the token manually on every request. It would be easier to set the token once, and then call $.ajaxSetup and never care about the token ever again. But maybe we have different kinds of apps in mind. I think about 1 page js apps, maybe what you have in mind is something else?


I was not really familiar with cors either. I really asked because I didn't know the answer.
But after reading a bit [1] now I know that we need to protect against csrf even with cors.

[1]www.w3.org/TR/cors/#security

Re: cumbersome? by Roopesh Shenoy

What I think is cumbersome is the fact that you can not use $.ajax() directly


Ah, got you - yes, if it's a single Page App it will work. The above link was not referring to an SPA.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

4 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT