ASP.NET MVC has AntiForgeryToken helper that allow you to detect and block CSRF attacks using user-specific tokens. However when making primarily ajax requests or using javascript frameworks such as Knockout and Backbone which have JSON payloads, the approach needs to change a bit.
AntiForgeryToken helper works with Form posts by having a hidden field in the form with the token. ValidateAntiForgeryToken only looks at the Form values submitted. For making this work with a JSON request, you can use one of the following approaches -
- For simple JQuery ajax posts, you can just create a separate form on every page with a field having the token and use it explicitly in your post requests
- Sergey Barskiy shows how to create your own attribute to parse JSON payloads differently from normal payloads
- Justin Etheredge shows how to use your own helper method to add meta-head tag and a custom attribute
All the above solutions rely on the setting the value of __RequestVerificationToken field directly. This field name is a constant used in the MVC framework.
To learn more about how ASP.NET MVC token helpers prevent CSRF attacks, you can read Steven Sandersons’ article introducing this.
Community comments
cumbersome?
by Simon S.,
Re: cumbersome?
by Roopesh Shenoy,
Re: cumbersome?
by Simon S.,
Re: cumbersome?
by Roopesh Shenoy,
cumbersome?
by Simon S.,
Your message is awaiting moderation. Thank you for participating in the discussion.
Looks cumbersome to use.
"For simple JQuery ajax posts, you can just create a separate form on every page with a field having the token and use it explicitly in your post requests"? Thats not "simple" anymore.
Why not use
and check the header instead?
And btw, do we still need to protect against csrf if we use cors?
Re: cumbersome?
by Roopesh Shenoy,
Your message is awaiting moderation. Thank you for participating in the discussion.
Mostly I'm misunderstanding this -
how will the "myValue" come? It has to come from the markup right? ASP.NET helpers allow a anti-forgery token to be generated using the AntiForgeryToken() helper, but it has to be called somewhere in the markup and your JavaScript will have to read that value from there. Correct me if I am wrong.
I'm not very familiar with CORS to comment - I read about the concepts but not sure about the security implications and how robustly it is implemented in all the browsers. Can you shed more light?
Re: cumbersome?
by Simon S.,
Your message is awaiting moderation. Thank you for participating in the discussion.
Regarding "myValue" you are correct. What I think is cumbersome is the fact that you can not use $.ajax() directly, but you have to add the token manually on every request. It would be easier to set the token once, and then call $.ajaxSetup and never care about the token ever again. But maybe we have different kinds of apps in mind. I think about 1 page js apps, maybe what you have in mind is something else?
I was not really familiar with cors either. I really asked because I didn't know the answer.
But after reading a bit [1] now I know that we need to protect against csrf even with cors.
[1]www.w3.org/TR/cors/#security
Re: cumbersome?
by Roopesh Shenoy,
Your message is awaiting moderation. Thank you for participating in the discussion.
Ah, got you - yes, if it's a single Page App it will work. The above link was not referring to an SPA.