BT

InfoQ Homepage News ASP.NET Anti-Forgery Tokens With JSON Payloads

ASP.NET Anti-Forgery Tokens With JSON Payloads

Bookmarks

ASP.NET MVC has AntiForgeryToken helper that allow you to detect and block CSRF attacks using user-specific tokens. However when making primarily ajax requests or using javascript frameworks such as Knockout and Backbone which have JSON payloads, the approach needs to change a bit.

AntiForgeryToken helper works with Form posts by having a hidden field in the form with the token. ValidateAntiForgeryToken only looks at the Form values submitted. For making this work with a JSON request, you can use one of the following approaches -

All the above solutions rely on the setting the value of __RequestVerificationToken field directly. This field name is a constant used in the MVC framework.

To learn more about how ASP.NET MVC token helpers prevent CSRF attacks, you can read Steven Sandersons’ article introducing this. 

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • cumbersome?

    by Simon S. /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Looks cumbersome to use.
    "For simple JQuery ajax posts, you can just create a separate form on every page with a field having the token and use it explicitly in your post requests"? Thats not "simple" anymore.
    Why not use


    $.ajaxSetup({
    headers: { "csrftoken": "myValue" }
    });

    and check the header instead?

    And btw, do we still need to protect against csrf if we use cors?

  • Re: cumbersome?

    by Roopesh Shenoy /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Mostly I'm misunderstanding this -

    how will the "myValue" come? It has to come from the markup right? ASP.NET helpers allow a anti-forgery token to be generated using the AntiForgeryToken() helper, but it has to be called somewhere in the markup and your JavaScript will have to read that value from there. Correct me if I am wrong.

    I'm not very familiar with CORS to comment - I read about the concepts but not sure about the security implications and how robustly it is implemented in all the browsers. Can you shed more light?

  • Re: cumbersome?

    by Simon S. /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Regarding "myValue" you are correct. What I think is cumbersome is the fact that you can not use $.ajax() directly, but you have to add the token manually on every request. It would be easier to set the token once, and then call $.ajaxSetup and never care about the token ever again. But maybe we have different kinds of apps in mind. I think about 1 page js apps, maybe what you have in mind is something else?


    I was not really familiar with cors either. I really asked because I didn't know the answer.
    But after reading a bit [1] now I know that we need to protect against csrf even with cors.

    [1]www.w3.org/TR/cors/#security

  • Re: cumbersome?

    by Roopesh Shenoy /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    What I think is cumbersome is the fact that you can not use $.ajax() directly


    Ah, got you - yes, if it's a single Page App it will work. The above link was not referring to an SPA.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.