Passing Anti-Forgery Token to MVC Actions using Ajax Post
In this article I will show you a simple sample code base on how we can pass Anti-Forgery token to a MVC action through Ajax post calls. Entire sample is attached.
Client Side
1) Add Token to Layout page
Add following lines of code in the body section of ...\Views\Shared\ _Layout.cshtml page.
<script>
@functions{
public string GetAntiForgeryToken()
{
string cookieToken, formToken;
AntiForgery.GetTokens(null, out cookieToken, out formToken);
return cookieToken + "," + formToken;
}
}
</script>
<input type="hidden" id="forgeryToken" value="@GetAntiForgeryToken()" />
2) Add Token as Header to the Ajax Post method
Following lines of code are of interest
1) Read the forgery token
var forgeryId = $("#forgeryToken").val();
2) Pass the forgery token as header to the Post method.
headers: {'VerificationToken': forgeryId }
3) Sample Ajax Request
var forgeryId = $("#forgeryToken").val(); $.ajax({ url: 'HOME/POSTSAMPLEACTION', type: "POST", data: { name: "test" }, async: true, dataType: "json", headers: { 'VerificationToken': forgeryId }, success: function (returnVal) { alert(returnVal); }, error: function (data) { alert("failed"); }, });
Server Side
1) Add a custom filter or validating Ajax Requests for Anti-Forgery token.
We will write a custom validator attribute for validating Ajax Requests which need Anti-Forgery token to be set. Below is the code for the same. This primarily check the token value on the Ajax request and throws an exception if the token is not valid or not passed.
[AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public class AjaxValidateAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext filterContext)
{
try
{
if (filterContext.HttpContext.Request.IsAjaxRequest()) // if it is ajax request.
{
this.ValidateRequestHeader(filterContext.HttpContext.Request); // run the validation.
}
else
{
AntiForgery.Validate();
}
}
catch (HttpAntiForgeryException e)
{
throw new HttpAntiForgeryException("Anti forgery token not found");
}
}
private void ValidateRequestHeader(HttpRequestBase request)
{
string cookieToken = string.Empty;
string formToken = string.Empty;
string tokenValue = request.Headers["VerificationToken"]; // read the header key and validate the tokens.
if (!string.IsNullOrEmpty(tokenValue))
{
string[] tokens = tokenValue.Split(',');
if (tokens.Length == 2)
{
cookieToken = tokens[0].Trim();
formToken = tokens[1].Trim();
}
}
AntiForgery.Validate(cookieToken, formToken); // this validates the request token.
}
}
2) Assign the validator attribute to the Actions.
Add the validator attribute to the actions which need anti-forgery token for validation.
[AjaxValidateAntiForgeryToken]
public JsonResult PostSampleAction(string name)
{
return this.Json("Post Passed Validation -" + name);
}