28

I just installed ASP.Net MVC 4 RC to replace ASP.Net MVC 4 beta. When trying to run an existing application I'm getting an error message that AntiForgeryToken has been deprecated. Here's my code:

using (Html.BeginForm("", "", FormMethod.Post, new { id = "MonthElectionForm" }))
{
    @Html.AntiForgeryToken("AddEditMonthElection")
}

---- UPDATE ---

ASP.Net MVC 4 RC has made the Salt property obsolete for ValidateAntiForgeryToken attribute and AntiForgeryToken html helper. So, now my code looks like this:

controller:

        [HttpPost]
        [ValidateAntiForgeryToken]
        public JsonResult CreateCompany(CompanyDataEntryViewModel modelData)
       {...}

form:

@using (Html.BeginForm("", "", FormMethod.Post, new { id = "CreateCompanyDataEntryForm" }))
{
    @Html.AntiForgeryToken()
...
}

Looking at generated HTML, AntiForgeryToken still generates a hidden field and provides an encrypted value. My action still works too. But I've lost the ability to designate a key to use in the encryption process. I'm not too sure how the process works, but before I can tell I was setting the salt value on the action and on the form. The values had to match in order for the action to accept the post. So, how do you set the salt value now? I think it has something to do with AntiForgeryConfig AdditionalDataProvider but I cannot find anything googling on how to use AntiForgeryConfig AdditionalDataProvider. Please help.

Thanks

Tom Schreck
  • 5,177
  • 12
  • 68
  • 122
  • 6
    Do you get this detailed error message? "This method is deprecated. Use the AntiForgeryToken() method instead. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property."? – Tz_ Jun 01 '12 at 14:33
  • Yes, I saw that detail error message. How do you use AntiForgeryConfig.AdditionalDataProvider property? Can we no longer use attributes on an action like before? Not much is showing when googleing AntiForgeryConfig.AdditionalDataProvider property. – Tom Schreck Jun 01 '12 at 15:17

1 Answers1

43

Setting the salt parameter is unnecessary and didn't provide any additional protection, so we removed support for it.

Please see my response at How to choose a salt value for ValidateAntiForgeryToken for more information.

Community
  • 1
  • 1
Levi
  • 32,628
  • 3
  • 87
  • 88
  • 1
    Ahhh, makes sense now. I assumed the value we were using in for the Salt value was used in the encryption process. Thanks for clearing this up. – Tom Schreck Jun 01 '12 at 19:57
  • 1
    So, what do you do in the case where you have multiple login forms (different methods) on the same page, and each one needs a token? I'm running into the issue where I'm getting errors with the token because one form is started, but then the other one is selected and submitted. (Like internal user login vs. external user login.) – Craig Mar 18 '15 at 20:59