Enable Antiforgery Token with ASP.NET Core and JQuery
mode777's answer just needs a small addition to make this work (I tried it):
$(document).ajaxSend(function(e, xhr, options) { if (options.type.toUpperCase() == "POST") { var token = $form.find("input[name='af_token']").val(); xhr.setRequestHeader("RequestVerificationToken", token); }});
Actually, if you also submit using Ajax, you don't need to use a form at all.Put this in your _layout:
<span class="AntiForge"> @Html.AntiForgeryToken() </span>
Then you pickup the token by adding this to your javascript:
$(document) .ajaxSend(function (event, jqxhr, settings) { if (settings.type.toUpperCase() != "POST") return; jqxhr.setRequestHeader('RequestVerificationToken', $(".AntiForge" + " input").val())})
The @HtmlAntiForgeryToken generates a hidden input field with the antiforgery token, the same as when using a form. The code above finds it using the class selector to select the span, then gets the input field inside that to collect the token and add it as a header.
Note: This answer applies to ASP.NET Core 2.0. It may not fit to older versions.
Here's what I've done after digging through aspnet's source code for a short while:
public static class HttpContextExtensions{ public static string GetAntiforgeryToken(this HttpContext httpContext) { var antiforgery = (IAntiforgery)httpContext.RequestServices.GetService(typeof(IAntiforgery)); var tokenSet = antiforgery.GetAndStoreTokens(httpContext); string fieldName = tokenSet.FormFieldName; string requestToken = tokenSet.RequestToken; return requestToken; }}
You can use it in a view like this:
<script> var data = { yourData: "bla", "__RequestVerificationToken": "@Context.GetAntiforgeryToken()" }; $.post("@Url.Action("ActionName")", data);</script>
You might modify the extension method to return the name of the field as well, in any form you wish, e. g. a JSON fragment.
In Asp.Net Core you can request the token directly, as documented:
@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf @functions{ public string GetAntiXsrfRequestToken() { return Xsrf.GetAndStoreTokens(Context).RequestToken; }}
And use it in javascript:
function DoSomething(id) { $.post("/something/todo/"+id, { "__RequestVerificationToken": '@GetAntiXsrfRequestToken()' });}
You can add the recommended global filter, as documented:
services.AddMvc(options =>{ options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());})