Manual Anti-Forgery Token Creation and Validation in ASP.NET 5

Asked 30/3, 2015 at 18:48 Answered 30/3, 2015 at 20:6

Solved .net asp.net-web-api asp.net-core antiforgerytoken tag-helpers

I am playing around with ASP vnext and AngularJS. I have set up a Web API, am using some controllers and am using angular to do some web-magic.

I have followed most of this guide to get my project up and running: http://stephenwalther.com/archive/2015/01/29/asp-net-5-and-angularjs-part-6-security

... which works fine. I have set up my db and such and I have things working. I have the identity framework set up too but I am not using it as of yet.

I want to post some data to the WebAPI. Which also works fine, but now I want to do it while using anti forgery tokens. I have googled a lot and I guess this makes the most sense: novablog

However: this uses System.Web.Helpers to create the tokens and validate them. They are not available anymore in vnext. I cannot figure out what to use to create and validate the tokens now.

Any ideas?

Mimeograph answered 30/3, 2015 at 18:48 Comment(0)

Following is an example from the ASP.NET 5's MusicStore sample:

https://github.com/aspnet/MusicStore/blob/master/src/MusicStore/Controllers/ShoppingCartController.cs#L62

Snippet from the above link(Note that you can use the [FromServices] AntiForgery antiforgery as a parameter to the action if you do no like how the link does above):

[HttpPost]
public async Task<IActionResult> RemoveFromCart(int id)
{
    var formParameters = await Context.Request.ReadFormAsync();
    var requestVerification = formParameters["RequestVerificationToken"];
    string cookieToken = null;
    string formToken = null;

    if (!string.IsNullOrWhiteSpace(requestVerification))
    {
        var tokens = requestVerification.Split(':');

        if (tokens != null && tokens.Length == 2)
        {
            cookieToken = tokens[0];
            formToken = tokens[1];
        }
    }

    var antiForgery = Context.RequestServices.GetService<AntiForgery>();
    antiForgery.Validate(Context, new AntiForgeryTokenSet(formToken, cookieToken));
    ......

Daylong answered 30/3, 2015 at 20:5 Comment(4)

Aahhh, there is a whole example I can use, awesome! Thanks for pointing that out! Most helpful! – Mimeograph 31/3, 2015 at 9:37

You may find the client side of the code above at here – Evenfall 16/4, 2015 at 23:31

This implementation has a problem: If a token gets stolen, it will be valid for that user for ever! Normally, the cookie part MUST go in the cookies and the other part on the headers (if you send JSON) or the form data. That way, if the site has proper security, someone can only steal the form data token part, which will be valid only for as long as the user is logged in. – Perrault 16/2, 2018 at 7:58

The github link is broken. – Tambac 7/10, 2019 at 4:30

check out MVC Github repo, ValidateAntiForgeryTokenAttribute exists.

And there's the asp-anti-forgerytaghelper

Crispas answered 30/3, 2015 at 20:6 Comment(2)

Thanks! What is the taghelper? Is it a new replacement for the @Html.AntiForgery helper? – Mimeograph 31/3, 2015 at 9:41

TagHelper are helper in html, you can still use old @Html helper, bu also write code like: <form asp-anti-forgery ><form> for more information see the last Community Stand Up speeking about that – Crispas 31/3, 2015 at 12:14

Recommended topics

Hot tags