StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POjQuery Ajax calls and the Html.AntiForgeryToken()
text
Body
copied!<p>I have implemented in my app the mitigation to <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery" rel="noreferrer">CSRF attacks</a> following the informations that I have read on some blog post around the internet. In particular these post have been the driver of my implementation</p> <ul> <li><a href="http://blogs.msdn.com/b/aspnetue/archive/2010/09/17/second_2d00_post.aspx" rel="noreferrer">Best Practices for ASP.NET MVC</a> from the ASP.NET and Web Tools Developer Content Team</li> <li><a href="http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx" rel="noreferrer">Anatomy of a Cross-site Request Forgery Attack</a> from Phil Haack blog</li> <li><a href="http://davidhayden.com/blog/dave/archive/2009/04/29/AntiForgeryTokenInMVCFramework.aspx" rel="noreferrer">AntiForgeryToken in the ASP.NET MVC Framework - Html.AntiForgeryToken and ValidateAntiForgeryToken Attribute</a> from David Hayden blog</li> </ul> <p>Basically those articles and recommendations says that to prevent the CSRF attack anybody should implement the following code:</p> <p>1) Add the <code>[ValidateAntiForgeryToken]</code> on every action that accept the POST Http verb</p> <pre><code>[HttpPost] [ValidateAntiForgeryToken] public ActionResult SomeAction( SomeModel model ) { } </code></pre> <p>2) Add the <code><%= Html.AntiForgeryToken() %></code> helper inside forms that submits data to the server</p> <pre><code><div style="text-align:right; padding: 8px;"> <%= Html.AntiForgeryToken() %> <input type="submit" id="btnSave" value="Save" /> </div> </code></pre> <p>Anyway in some parts of my app I am doing Ajax POSTs with jQuery to the server without having any form at all. This happens for example where I am letting the user to click on an image to do a specific action. </p> <p>Suppose I have a table with a list of activities. I have an image on a column of the table that says "Mark activity as completed" and when the user click on that activity I am doing the Ajax POST as in the following sample:</p> <pre><code>$("a.markAsDone").click(function (event) { event.preventDefault(); $.ajax({ type: "post", dataType: "html", url: $(this).attr("rel"), data: {}, success: function (response) { // .... } }); }); </code></pre> <p>How can I use the <code><%= Html.AntiForgeryToken() %></code> in these cases? Should I include the helper call inside the data parameter of the Ajax call?</p> <p>Sorry for the long post and thanks very much for helping out</p> <p><strong>EDIT</strong>:</p> <p>As per <a href="https://stackoverflow.com/questions/4074199/jquery-ajax-calls-and-the-html-antiforgerytoken/4074289#4074289">jayrdub</a> answer I have used in the following way</p> <pre><code>$("a.markAsDone").click(function (event) { event.preventDefault(); $.ajax({ type: "post", dataType: "html", url: $(this).attr("rel"), data: { AddAntiForgeryToken({}), id: parseInt($(this).attr("title")) }, success: function (response) { // .... } }); }); </code></pre>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload