Which anti-forgery keys is required to make post calls with programs like Postman or Fiddler? It seems like I have both a cookie and also a hidden form-data variable. Which should I use, and how do the anti-forgery checks work? I am using a simple web application (ASP Core 2.2.) that saves the user claims as a cookie.
My Create User page:
@page
@model WebAppTry3.Pages.CreateUserModel
@{
ViewData["Title"] = "CreateUser";
Layout = "_layout";
}
<h2>CreateUser</h2>
<form method="post">
<input asp-for="Name" />
<input type="submit" value="SKicka" />
</form>
This is how my form looks when displayed as HTML:
<form method="post">
<input type="text" id="Name" name="Name" value="" />
<input type="submit" value="SKicka" />
<input name="AntiforgeryFieldname" type="hidden" value="<alot of characters...>" />
</form>
My Razor Page model:
public class CreateUserModel : PageModel
{
[BindProperty]
public string Name { get; set; }
public string Message = "Hm";
public void OnGet()
{
}
public void OnPost()
{
var name = Name;
Message = "Inside the OnPOST";
}
}
I tried to make a POST request with Fiddler with this input data, but I still get a status code 400. I copied the cookie from chrome when I ran the web application.
User-Agent: Fiddler
Host: localhost:4138
Content-Length: 0
Cookie: .AspNetCore.Antiforgery.Outs1Mq9yYA=<cookie value>
Request-body
Name: dddd
AntiforgeryFieldname: <long key>
EDIT : The purpose of the question is to understand which keys I need to get, to make a POST request in my Integration Tests.
