Anti-forgery token in Ajax calls

Question

0.00/5 (No votes)

See more:

Hello,

I did a fortify code analysis in an existing MVC application and fortify recommend me to implement anti-forgery token in all HTTP POST calls as below.

JavaScript

var token = $('input[name="__RequestVerificationToken"]').val();

var headers = {};

headers['__RequestVerificationToken'] = token;

$.ajax({
        url: ... some url,
        headers: headers,
        ....
});

Adding __RequestVerificationToken in all Ajax calls across the application can be challenging.

Please help me to understand ways to implement anti-forgery token without modifying all ajax calls in an existing application?

Posted 27-Jan-15 14:36pm

Liju Sankar

Updated 3-Oct-18 8:52am

v2

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2015-01-27T15:02:00

Would you read this article, it seems to be pretty clear: http://blogs.perficient.com/microsoft/2014/02/asp-net-mvc-anti-forgery-token-demystified-part-1-what-is-it[^]?
(See other parts referenced from this page.)

Sorry if you already know all that; if so, please explain your concern more clearly.

—SA

Member 11369232 · Answer 2 · 2018-10-03T08:52:00

This is what you want if you use JQUERY1-2. I'm looking to code this in pure JavaScript please.

var sToken = document.getElementsByName("__RequestVerificationToken")[0].value;
$.ajax({
url: "/Home/ClickCreateAccount/",
type: "POST",
contentType: "application/x-www-form-urlencoded",
data: { '__RequestVerificationToken': sToken, 'sMVCParameter1': sMVCParameter1, 'sMVCParameter2': sMVCParameter2 }
})
.done(function (data) {
//Process MVC Data here
})
.fail(function (jqXHR, textStatus, errorThrown) {
//Process Failure here
});

Anti-forgery token in Ajax calls

2 solutions

Solution 1

Solution 3

Add your solution here

Preview 0