Stack Overflow
Stack Overflow

Questions tagged [antiforgerytoken]

Cryptographic Nonce for anti-CSRF protection

Cross-site Request Forgery (CSRF) is using malicious HTML or Javascript content to trick a user's browser into submitting a form to a 3rd party site. A cryptographic token, or nonce, is a value that is inserted by a server into outgoing web pages that the browser is required to return with a form submission or AJAX request to prevent CSRF attacks.

559 questions
215
votes
21 answers

jQuery Ajax calls and the Html.AntiForgeryToken()

I have implemented in my app the mitigation to CSRF attacks following the informations that I have read on some blog post around the internet. In particular these post have been the driver of my implementation Best Practices for ASP.NET MVC from…
Lorenzo
  • 29,081
  • 49
  • 125
  • 222
81
votes
13 answers

How can I supply an AntiForgeryToken when posting JSON data using $.ajax?

I am using the code as below of this post: First I will fill an array variable with the correct values for the controller action. Using the code below I think it should be very straightforward by just adding the following line to the JavaScript…
HerbalMart
  • 823
  • 1
  • 7
  • 5
78
votes
6 answers

Web API and ValidateAntiForgeryToken

We have some existing MVC web services that are called AJAX style from web pages. These services make use of the ValidateAntiForgeryToken attribute to help prevent request forgeries. We are looking to migrate these services to Web API, but there…
ScottS
  • 8,455
  • 3
  • 30
  • 50
40
votes
10 answers

The required anti-forgery cookie "__RequestVerificationToken" is not present

My website is raising this exception around 20 times a day, usually the form works fine but there are instances where this issue occur and I don't know why is so random. This is logged exception by elmah 500 HttpAntiForgery The required…
General Electric
  • 1,176
  • 3
  • 21
  • 44
38
votes
5 answers

A way of properly handling HttpAntiForgeryException in MVC 4 application

Here is the scenario: I have a login page, when user sign it it is redirected to home application page. Then user is using browser back button, and now he is on login page. He tries to login again but now an exception is…
Marcin
  • 3,232
  • 4
  • 31
  • 48
36
votes
2 answers

If I add multiple forms in a single page, do I need to add separate Anti-Forgery Tokens in each form?

If the answer is yes then how would ASP.NET MVC find out that which token was linked to which form and how to validate it? I've seen it is creating two separate tokens for each form.
neebz
  • 11,465
  • 7
  • 47
  • 64
36
votes
11 answers

Troubleshooting anti-forgery token problems

I have a form post that consistently gives me an anti-forgery token error. Here is my form: @using (Html.BeginForm()) { @Html.AntiForgeryToken() @Html.EditorFor(m => m.Email) @Html.EditorFor(m => m.Birthday)

Jerad Rose
  • 15,235
  • 18
  • 82
  • 153
34
votes
3 answers

RequestVerificationToken does not match

I have a problem with the anti CRSF MVC mechanism. The cookie and the form input returned does not match. I'm getting an error every single time, only in one specific page. In the rest of the application it works well. The server is returning HTTP…
vtortola
  • 34,709
  • 29
  • 161
  • 263
33
votes
1 answer

Html.AntiForgeryToken() still required?

Is @Html.AntiForgeryToken() still required in ASP.NET .NET4.6 vNext? The form decorations have changed to
matt.
  • 2,355
  • 5
  • 32
  • 43
31
votes
1 answer

anti-CSRF token and Javascript

I'm trying to protect an application (php and lots of JS) from CSRF. I want to use tokens. A lot of operations are done with AJAX, so I have to pass the token in Javascript. If I want to generate 1 token per session or per page load it's simple - I…
Leonti
  • 10,400
  • 11
  • 43
  • 68
28
votes
1 answer

AntiForgeryToken deprecated in ASP.Net MVC 4 RC

I just installed ASP.Net MVC 4 RC to replace ASP.Net MVC 4 beta. When trying to run an existing application I'm getting an error message that AntiForgeryToken has been deprecated. Here's my code: using (Html.BeginForm("", "", FormMethod.Post, new…
Tom Schreck
  • 5,177
  • 12
  • 68
  • 122
27
votes
1 answer

When the use of a AntiForgeryToken is not required /needed?

UPD: Same question asked on security.stackexchange.com and the answer I got is different. Please follow there, to get the correct answer! I'm running a rather large site with thousands of visits every day, and a rather large userbase. Since I…
Artiom Chilaru
  • 11,811
  • 4
  • 41
  • 52
27
votes
3 answers

Unable to complete POST request in Clojure

I have recently started exploring Clojure and I wanted to set up a simple web app with basic CRUD functionality. I found a nice tutorial here: http://www.xuan-wu.com/2013-09-21-Basic-Web-Application-in-Clojure. The GET requests work fine, but…
Gregory-Turtle
  • 1,657
  • 3
  • 20
  • 30
26
votes
2 answers

How does AntiForgeryToken work

I'm in trying to protect from CSRF and have two scenarious: Doing POST from within another site and it fails when I enable AntiForgeryToken I have tried from my "malicious" Javascript (running on another site) to first do GET of the page, parse it…
Nadir Talic
  • 263
  • 1
  • 3
  • 5
24
votes
3 answers

Using MVC3's AntiForgeryToken in HTTP GET to avoid Javascript CSRF vulnerability

In regards to this Haacked blog, I'm hesitant to implement the proposed anti-JSON GET hijacking solutions since The recommended solutions to mitigating JSON hijacking involve non-REST-full JSON POSTs to GET data The alternate solution (object…
makerofthings7
  • 60,103
  • 53
  • 215
  • 448
1
2 3
37 38