Login/Register
AntiForgeryToken deprecated in ASP.Net MVC 4 RC
Asked Answered
Solved asp.net-mvcasp.net-mvc-3asp.net-mvc-4antiforgerytoken
G

1

28

I just installed ASP.Net MVC 4 RC to replace ASP.Net MVC 4 beta. When trying to run an existing application I'm getting an error message that AntiForgeryToken has been deprecated. Here's my code:

using (Html.BeginForm("", "", FormMethod.Post, new { id = "MonthElectionForm" }))
{
    @Html.AntiForgeryToken("AddEditMonthElection")
}

---- UPDATE ---

ASP.Net MVC 4 RC has made the Salt property obsolete for ValidateAntiForgeryToken attribute and AntiForgeryToken html helper. So, now my code looks like this:

controller:

        [HttpPost]
        [ValidateAntiForgeryToken]
        public JsonResult CreateCompany(CompanyDataEntryViewModel modelData)
       {...}

form:

@using (Html.BeginForm("", "", FormMethod.Post, new { id = "CreateCompanyDataEntryForm" }))
{
    @Html.AntiForgeryToken()
...
}

Looking at generated HTML, AntiForgeryToken still generates a hidden field and provides an encrypted value. My action still works too. But I've lost the ability to designate a key to use in the encryption process. I'm not too sure how the process works, but before I can tell I was setting the salt value on the action and on the form. The values had to match in order for the action to accept the post. So, how do you set the salt value now? I think it has something to do with AntiForgeryConfig AdditionalDataProvider but I cannot find anything googling on how to use AntiForgeryConfig AdditionalDataProvider. Please help.

Thanks

Goodness answered 1/6, 2012 at 13:33 Comment(2)
Do you get this detailed error message? "This method is deprecated. Use the AntiForgeryToken() method instead. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property."?Karankaras
Yes, I saw that detail error message. How do you use AntiForgeryConfig.AdditionalDataProvider property? Can we no longer use attributes on an action like before? Not much is showing when googleing AntiForgeryConfig.AdditionalDataProvider property.Goodness
H
43

Setting the salt parameter is unnecessary and didn't provide any additional protection, so we removed support for it.

Please see my response at How to choose a salt value for ValidateAntiForgeryToken for more information.

Hardhack answered 1/6, 2012 at 19:46 Comment(2)
Ahhh, makes sense now. I assumed the value we were using in for the Salt value was used in the encryption process. Thanks for clearing this up.Goodness
So, what do you do in the case where you have multiple login forms (different methods) on the same page, and each one needs a token? I'm running into the issue where I'm getting errors with the token because one form is started, but then the other one is selected and submitted. (Like internal user login vs. external user login.)Kirkkirkcaldy

© 2022 - 2024 — McMap. All rights reserved.