How to use MVC AntiForgeryToken with partial views

Question

0.00/5 (No votes)

See more:

If I have a form/view that will display 1 or more partial views based on user responses. Where do I need to place the AntiForgeryToken? In the parent view? In the partial views? Both?

Currently, I have it in the partial views, but we are occasionally getting an error:

Type:System.Web.Mvc.HttpAntiForgeryException
Message:A required anti-forgery token was not supplied or was invalid.

The error is reported in production only, we are unable to reproduce it on developer machines (typical).

My theory is that when multiple partial views are represented a mismatch of tokens occurs and the error is reported. My thinking is to move the token to the main/parent view.

Am I on the right track? Anybody had to deal with something similar?

Posted 12-Mar-14 8:13am

littleGreenDude

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Jay Surendranath · Answer 1 · 2014-03-12T08:24:00

Solution 1

In your View(assuming razor), use the HTML helper for ValidateAntiForgeryToken inside the form:

@using (Html.BeginForm()) {
   @Html.ValidationSummary(true)
   @Html.AntiForgeryToken()
   <fieldset>
       </fieldset>

Then in the HttpPost method for the controller action, decorate it with the ValidateAntiForgeryToken attribute:

C#

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Create(ModelType modelObj)
{
    if (ModelState.IsValid)
    {
        ///
    }

    return View(modelObj);
}

Posted 12-Mar-14 8:24am

Jay Surendranath

Comments

littleGreenDude 12-Mar-14 15:11pm

Thank you for the response. Yes, the razor assumption is correct. At the basic level I understand what you are saying. My question is more driven by what is the proper approach when dealing with partial views. Is there a token for each partial view, or the container as a whole?

Currently our form contains divs for 5 partial views. The user is responding to a list of certification questions, and based on responses 1 or more divs/partial views are displayed. Each partial view is accepted/declined (button select) and the form as a whole is submitted (button). Currently, each partial view has its own AntiForgeryToken and corresponding token validation in the controller (in the manner as you indicated).

With this approach we periodically see the System.Web.Mvc.HttpAntiForgeryException