Is the antiforgery token function not safe?
It's safe. Placing an anti forgery token to the form also creates a cookie named __RequestVerificationToken with the same token. This cookie is also validated to verify the request. Since the attacker can't add cookies to application domain, it can't pass this validation. Steve Sanderson has a nice blog post...
AntiForgeryToken does not work well with OAuth via WebAPI
c#,asp.net-mvc-4,oauth,asp.net-web-api,antiforgerytoken
Why are you using an AntiForgeryToken with Web API? It's not necessary, just authenticate with your request with OAuth. They are not meant to work together.
JQGrid able to pass ValidateAntiForgeryToken through the main CRUD controls?
jquery,jqgrid,antiforgerytoken
It's definitively wrong to use key: true for more as one column. It break rowids. The id values of rows must have unique value over the HTML page. I recommend you to verify whether jsonReader which you use really corresponds the input data which you use. It looks suspected. If...
ASP.NET vNext AntiForgeryToken
asp.net-mvc-6,antiforgerytoken
The form tag helper will automatically add the anti forgery token. (Unless you use it as a standard html form element, manually adding an action attribute). Check the source code of the form tag helper, you will see the following at the end of the Process method. if (AntiForgery ??...
ValidateAntiForgeryToken is failing from AJAX call
javascript,jquery,ajax,model-view-controller,antiforgerytoken
Your outgoing $.ajax() call is coded with a contentType property. That affects the content type of the request, not the response. I have not found in the jQuery source where and how that affects the HTTP request that gets made....
ASP .NET MVC anti-forgery token value, not HTML
c#,asp.net,asp.net-mvc,asp.net-mvc-4,antiforgerytoken
Alright, the method I was after was hidden in a plain sight. The AntiForgery class provides a public method called GetTokens which is what I need.
Are anti-forgery tokens necessary on a login page?
security,web,login,csrf,antiforgerytoken
Expanding on IRCMaxell's answer. CSRF is by definition meant to use a user's session and/or permissions against them. A non-authenticated user isn't the target of CSRF. Here's a useful OWASP article on the subject: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 Placing anti-forgery tokens in login forms is almost entirely for consistency's sake. EDIT: That last...
Adding AntiForgeryToken to non-Ajax Form Submit
c#,forms,post,antiforgerytoken
This one turns out to be one of those "How did I miss that...?!" moments. While the above approach is perfectly legitimate, the only problem is that the __RequestVerificationToken has to belong to a name attribute instead of to an id as in my initial example. I tried posting my...
Pass RequestVerificationToken from Angular js to mvc controller
asp.net-mvc,angularjs,angularjs-scope,antiforgerytoken,csrf-protection
Yes, I'm getting it correctly, if I pass it like below: return $http({ method: opt.method, url: opt.url, params: opt.params, data: opt.data, headers: { '__RequestVerificationToken': $(':input:hidden[name*="RequestVerificationToken"]').val() } }) ...
An unhandled exception of System.InvalidOperationException breaks my MVC App?
c#,asp.net-mvc-5,antiforgerytoken
This article might help: Unfortunately this error is a little confusing because it says “nameidentifier or identityprovider” even though you may have one of the two. By default you need both. Anyway, if you’re not using ACS as your STS then the above error pretty much tells you what’s needed...
Logging in a user to a Web API application
c#,security,asp.net-web-api,simplemembership,antiforgerytoken
please see my answers below. 1. How secure is the above call Because, by default, the credentials are not encrypted, so if there isn't any encryption in place like SSL to protect communication, the data will not be secure. More details from here 2. Is the above code secure enough...
Asp.Net MVC Antiforgery validation fails when non-null usernames differ…is that reasonable?
asp.net-mvc,security,cookies,csrf,antiforgerytoken
I see two ways of handling it: Use Javascript callback to the server before hitting a button to detect if the user is still logged in. If not - display him a message. It should be relatively easy to do this. But it requires one additional call, and little bit...