Enable Antiforgery Token with ASP.NET Core and JQuery Enable Antiforgery Token with ASP.NET Core and JQuery ajax ajax

Enable Antiforgery Token with ASP.NET Core and JQuery


jquery ajax asp.net-core antiforgerytoken

mode777's answer just needs a small addition to make this work (I tried it):

$(document).ajaxSend(function(e, xhr, options) {    if (options.type.toUpperCase() == "POST") {        var token = $form.find("input[name='af_token']").val();        xhr.setRequestHeader("RequestVerificationToken", token);    }});

Actually, if you also submit using Ajax, you don't need to use a form at all.Put this in your _layout:

 <span class="AntiForge"> @Html.AntiForgeryToken() </span>

Then you pickup the token by adding this to your javascript:

$(document)   .ajaxSend(function (event, jqxhr, settings) {        if (settings.type.toUpperCase() != "POST") return;        jqxhr.setRequestHeader('RequestVerificationToken', $(".AntiForge" + " input").val())})

The @HtmlAntiForgeryToken generates a hidden input field with the antiforgery token, the same as when using a form. The code above finds it using the class selector to select the span, then gets the input field inside that to collect the token and add it as a header.

jquery ajax asp.net-core antiforgerytoken

Note: This answer applies to ASP.NET Core 2.0. It may not fit to older versions.

Here's what I've done after digging through aspnet's source code for a short while:

public static class HttpContextExtensions{    public static string GetAntiforgeryToken(this HttpContext httpContext)    {        var antiforgery = (IAntiforgery)httpContext.RequestServices.GetService(typeof(IAntiforgery));        var tokenSet = antiforgery.GetAndStoreTokens(httpContext);        string fieldName = tokenSet.FormFieldName;        string requestToken = tokenSet.RequestToken;        return requestToken;    }}

You can use it in a view like this:

<script>    var data = {        yourData: "bla",        "__RequestVerificationToken": "@Context.GetAntiforgeryToken()"    };    $.post("@Url.Action("ActionName")", data);</script>

You might modify the extension method to return the name of the field as well, in any form you wish, e. g. a JSON fragment.

jquery ajax asp.net-core antiforgerytoken

In Asp.Net Core you can request the token directly, as documented:

@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf    @functions{    public string GetAntiXsrfRequestToken()    {        return Xsrf.GetAndStoreTokens(Context).RequestToken;    }}

And use it in javascript:

function DoSomething(id) {    $.post("/something/todo/"+id,               { "__RequestVerificationToken": '@GetAntiXsrfRequestToken()' });}

You can add the recommended global filter, as documented:

services.AddMvc(options =>{    options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());})

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last