Reputation: 55
ValidateAntiForgeryToken doesn't do the only thing it is suppose to do
I am implementing AntiForgeryToken feature to my asp.net core mvc project. As usual, I have included @Html.AntiForgeryToken() inside the form tags so it looks like this:
<form method="post" action="mycontroller/myaction">
@Html.AntiForgeryToken()
<input type="text" name="myInput"/>
<button type="submit">Submit</button>
</form>
and as you can imagine, here is the myaction action in my mycontroller controller:
[HttpPost]
[Route("somepath")]
[ValidateAntiForgeryToken]
public IActionResult myaction()
{
//some code here
}
Now the problem is, I NEVER GET ANY ERROR!!
I removed the @Html.AntiForgeryToken from the view and the [ValidateAntiForgeryToken] doesn't do a thing! the post action works just fine.
Here are two things I have tried that might give you a clue:
- I tried both
[ValidateAntiForgeryToken]and[ValidateAntiForgeryToken()], no difference! - Someone said that the attribute only works in authorized controllers or actions. Tried this in my controller that has the
[Authorize]tag.
PS: I have not added any code in my Startup.cs like services.AddMvc(...). Could it be something about that??
Please help.
Upvotes: 1
Views: 3618
Answers (2)
Reputation: 30035
In and MVC app (which you have there), request verification using an anti forgery token is opt in. You opt in by decorating the controller action with the [ValidateAntiForgeryToken] attribute. If you omit the attribute, the request is not subject to verification. In each of the scenarios you described, there is no reason for an error. The only time you are likely to see an error (in the shape of a 400 HTTP status code) in an MVC app is if you decorate the action with the [ValidateAntiForgeryToken] attribute but the cookie or token are not included as part of the request payload.
In Razor Pages, all POST requests are verified by default. You can opt out of request verification, in which case you can opt in on a page by page basis by adding the attribute to the PageModel class (not the handler method) The anti-forgery token is generated by the form tag helper when the method is set to POST in both Razor Pages and MVC views.
Sometimes, you might want to post without a form (using AJAX most commonly) in which case you need to generate the anti-forgery token in the view so that you can include it within the post request payload. The Html.AntiforgeryToken helper (which is a legacy from older versions of MVC) provides a convenient way to do that.
I've written in detail about this process here: https://www.learnrazorpages.com/security/request-verification
Upvotes: 2
Reputation: 11621
ValidateAntiForgeryToken is used to prevent cross-site request forgery attacks.
Antiforgery middleware has been added to the Dependency injection container when services.AddMvc() is called,and The FormTagHelper has injected antiforgery tokens into HTML form elements already.You don't need to call @Html.AntiForgeryToken()
For more details ,you could check this document.
Upvotes: 4
Related Questions
- .NET MVC, Do something after ValidateAntiForgeryToken check fails
- ValidateAntiForgeryToken in Ajax request with AspNet Core MVC
- How to use ValidateAntiForgeryToken at controller level in MVC?
- MVC Anti forgery token validating even though no [ValidateAntiForgeryToken]
- ASP.NET MVC AJAX POST ValidateAntiForgeryToken
- Set ValidateAntiForgeryToken attribute to GET/POST for same action MVC5
- ValidateAntiForgeryToken tokens work but don't match
- ValidateAntiForgeryToken in override controller
- ValidateAntiForgeryToken throwing error
- Unexpected behaviour with AntiForgeryToken and ValidateAntiForgeryToken