1

I can't find the answer in the docs. Does ASP .NET Core 5 expects __RequestVerificationToken or RequestVerificationToken header on Http Post method, when API method was decorated with [ValidateAntiForgeryToken]. I've seen both versions in the examples, I don't know which one is the right one.

Yoda
  • 17,363
  • 67
  • 204
  • 344
  • you don't know but you can try it out easily and then you will know it by yourself. I'm not so sure about .net 5 (because I've not had a chance to try it) but the header required (by default) in `asp.net core 2.2` is `RequestVerificationToken` - so it might be kept unchanged through the later versions. – King King Feb 16 '21 at 16:16

1 Answers1

1

Please check this article.

In ASP.NET Core 2.0 or later, for the traditional HTML-based apps (such as MVC and Razor application), the FormTagHelper injects antiforgery tokens into HTML form elements, it will add a hidden form field similar to the following:

<input name="__RequestVerificationToken" type="hidden" value="CfDJ8NrAkS ... s2-m9Yw">

But, In modern JavaScript-based apps and SPAs, many requests are made programmatically. These AJAX requests may use other techniques (such as request headers or cookies) to send the token.

If cookies are used to store authentication tokens and to authenticate API requests on the server, CSRF is a potential problem. If local storage is used to store the token, CSRF vulnerability might be mitigated because values from local storage aren't sent automatically to the server with every request. Thus, using local storage to store the antiforgery token on the client and sending the token as a request header is a recommended approach.

So, in these kind of application, it will inject the Microsoft.AspNetCore.Antiforgery.IAntiforgery service into the view and call GetAndStoreTokens, then, use a hidden field (named RequestVerificationToken) to store the verification token. Code as below:

@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
@functions{
    public string GetAntiXsrfRequestToken()
    {
        return Xsrf.GetAndStoreTokens(Context).RequestToken;
    }
}

<input type="hidden" id="RequestVerificationToken" 
       name="RequestVerificationToken" value="@GetAntiXsrfRequestToken()">

By using this method, the hidden field is added by yourself, so you can customize the hidden field name and id value.

After that, if we customize antiforgery options in Startup.ConfigureServices, such as: custom the Header Name for the RequestVerificationToken.

services.AddAntiforgery(o => o.HeaderName = "XSRF-TOKEN");  //configure the antiforgery service to look for the X-CSRF-TOKEN header. To prevent the cross-site request forgery.

Then, for the modern JavaScript-Based apps, we could use the script to add request header:

        document.getElementById("antiforgery").onclick = function () {
            xhttp.open('POST', '@Url.Action("Antiforgery", "Home")', true);
            xhttp.setRequestHeader("XSRF-TOKEN",
                document.getElementById('RequestVerificationToken').value); //get the requestverification token.
            xhttp.send();
        }

For the traditional HTML-based apps, we could use the following script:

            $.ajax({
                type: "POST",
                url: "/Survey/Create",
                beforeSend: function (xhr) {
                    xhr.setRequestHeader("XSRF-TOKEN",
                        $('input:hidden[name="__RequestVerificationToken"]').val());
                },
                data: { "CategoryName": $("#CategoryName").val(), "CategoryID": $("#CategoryID").val() },
                success: function (response) {
                    alert(response);
                },
                failure: function (response) {
                    alert(response.responseText);
                },
                error: function (response) {
                    alert(response.responseText);
                }
            });
Zhi Lv
  • 18,845
  • 1
  • 19
  • 30