Reputation: 1
"__RequestVerificationToken is not present" error when I can clearly see it in Developer tools
I'm trying to a CSRF protection to an existing MVC4 web application which uses DevExpress grids. I've added the Html.AntiForgeryToken() into the forms on the aspx pages (which contain ascx as partials containing the grids) and can see the __RequestVerificationToken and it's value clearly in developer tools when a save is called.
I've tried commenting out all my ValidateAntiForgeryToken attributes bar one - I went with the delete post method for simplicity (And also to eliminate the DevExpress grids messing with it) and I still keep coming up against this error:
There was a HttpAntiForgeryException
The exception message is The required anti-forgery form field "__RequestVerificationToken" is not present.
Does anyone have any idea why this might be happening? Could it be that the error is non-descriptive and it's actually that the token doesn't match rather than that it doesn't exist? In previous answers to this question people just say "oh, you have to add the token," which is obviously not helpful here.
Upvotes: 0
Views: 2678
Answers (5)
Reputation: 1
That is the exact error you'll get when trying to use use the @Html.AntiForgeryToken() with a FormMethod.GET!
To prevent CSRF attacks, you'll want the @Html.AntiForgeryToken() on state-changing requests such as, POST, DELETE, PUT, and PATCH. Not however on GET requests. GET requests DO NOT change any state, they only retrieve data.
Upvotes: 0
Reputation: 88
Not exactly. If MVC AntiForgeryToken is already defined on page where you are using MvcxGridView and you want to protect grid actions you should send this token back to server during grid client side begin callback event.
settings.ClientSideEvents.BeginCallback = "function(s,e) { e.customArgs[\"__RequestVerificationToken\"] = $('input[name=\"__RequestVerificationToken\"]', $(s.GetMainElement())).val(); }";
Upvotes: 0
Reputation: 1
After struggling with this for days I had a thought - maybe the browser is stopping the cookie being written. I did a search for dev servers and cookies not being written, and found that with Chrome and IE10 and up that there's problems writing the cookies.
I downloaded Firefox and tried it with that and it worked instantly. I then reapplied all the validate attributes to the all the controller methods and the all worked, every single one of them! Even the DexExpress postbacks seem to be working correctly.
I'll carry out more exhaustive testing, but for now, I think we're there.
Upvotes: 0
Reputation: 718
Point 1 : Make sure if your application is has https secure protocol. Please load in https.
Point 2 : In case of DevExpress you have to call in the below pattern.
ViewContext.Writer.Write(Html.AntiForgeryToken().ToHtmlString());
Upvotes: 0
Reputation: 23
Are you submitting the form manually through Ajax? If that's the case, you need to pass the anti forgery token as another parameter with the name "__RequestVerificationToken".
Upvotes: 1
Related Questions
- __RequestVerificationToken is not always being created
- RequestVerificationToken does not match
- ASP.NET MVC The required anti-forgery form field __RequestVerificationToken is not present
- The required anti-forgery cookie "__RequestVerificationToken" is not present.
- AntiforgeryValidationException: The required antiforgery header value "RequestVerificationToken" is not present
- The required anti-forgery cookie "__RequestVerificationToken" is not present. MVC 5
- The required anti-forgery cookie "__RequestVerificationToken" is not present. I'm out of ideias
- AntiForgeryToken Error in ASP.NET MVC 5 app
- Why __RequestVerificationToken in not found in Mono 4.2.2
- AntiForgery Exception: A required anti-forgery token was not supplied or was invalid