c# - Processing AntiForgeryToken send with Ajax -

-

hello i'm following this tutorial:

and i'm trying send ajax request include antiforgerytoken. here ajax request:

$(document).ready(function () {     @functions{         public string tokenheadervalue()         {             string cookietoken, formtoken;             antiforgery.gettokens(null, out cookietoken, out formtoken);             return cookietoken + ":" + formtoken;                         }     }     $('.z').on('click', function (event) {         event.preventdefault();         $.ajax({             url: "/deviceusage/return",             type: "post",             contenttype: "application/json; charset=utf-8",             datatype: 'html',             headers: {                 'requestverificationtoken': '@tokenheadervalue()'             },             data: json.stringify({ dev: { deviceinstanceid: $('#deviceinstanceid').val(), userid: "1", storageid: $('#storageid').val() } }),             error: function (data) {                 alert("wystąpił nieokreślony błąd " + data);             },             success: function (data) {                 $('.modal-body').html(data);             }         })     }) });

here controller:

[httppost]     [validateantiforgerytoken]     public actionresult return(deviceusage dev)     {         if(dev.storageid==3)         {             modelstate.addmodelerror("", "nie można oddać na własne biurko");             viewbag.storageid = new selectlist(unitofwork.storagerepository.get(), "id", "name", dev.storageid);             return partialview(dev);         }         dev.userid = 1;         unitofwork.deviceusagerepository.update(dev);         unitofwork.save();         return redirecttoaction("mydevices");     }

but in tutorial show function like:

void validaterequestheader(httprequestmessage request) { string cookietoken = ""; string formtoken = "";  ienumerable<string> tokenheaders; if (request.headers.trygetvalues("requestverificationtoken", out tokenheaders)) {     string[] tokens = tokenheaders.first().split(':');     if (tokens.length == 2)     {         cookietoken = tokens[0].trim();         formtoken = tokens[1].trim();     } } antiforgery.validate(cookietoken, formtoken); }

but have no idea put code in controller , how call function. can explain me how use above code?

what showing in anti-csrf , ajax section of tutorial non-standard token validation method. in example not use [validateantiforgerytoken], rather run validation manually. firstly inject additional header in ajax call:

        headers: {             'requestverificationtoken': '@tokenheadervalue()'         },

and read , validate token header in action:

[httppost] public actionresult return(deviceusage dev) {     validaterequestheader(request);     //process action } void validaterequestheader(httprequestbase request) {     string cookietoken = "";     string formtoken = "";      if (request.headers["requestverificationtoken"] != null)     {         string[] tokens = request.headers["requestverificationtoken"].split(':');         if (tokens.length == 2)         {             cookietoken = tokens[0].trim();             formtoken = tokens[1].trim();         }     }     antiforgery.validate(cookietoken, formtoken); }

notice validaterequestheader() reads header set earlier jquery call. also, i've amended method accept httprequestbase.

tip: avoid adding validaterequestheader() every controller responds ajax calls, add base controller if have any, , derive controllers base. or better create own [validateantiforgeryajaxtoken] attribute.


Comments

Post a Comment

Popular posts from this blog

c# - How to get the current UAC mode -

-
can check current uac type set in device before running application through c#. i got know approach check whether current user administrator or not. but, need know uac type set (i.e. default/never notify) internal logic. is possible? please help. this article self-elevation , checking level program runs in. due security reasons i'm afraid won't able retrieve uac level set. http://code.msdn.microsoft.com/windowsdesktop/csuacselfelevation-644673d3
Read more

postgresql - Lazarus + Postgres: incomplete startup packet -

-
i've been building lazarus pascal program using postgresql on back-end. used work fine following lines opening db. dbconn:= tpqconnection.create(nil); dbconn.hostname := 'localhost'; dbconn.databasename:= 'dbhrs'; dbconn.username:='mizk'; dbconn.password:='123'; dbconn.open; if dbconn.connected openhrsdb := true else openhrsdb := false; but moment change localhost server's ip (on lan), program stops. no errors or warnings. have no clue happening. here related details may narrow down problem. the program i'm running workstation on same lan server. both machines run ubuntu 12.04 desktop i can access postgres db on server using pgadmin iii, guess it's not firewall issue. i have allowed postgresql ufw , ufw disabled. strangely, when firewall disabled, can ssh server terminal using workstation. when it's enabled, can't my biggest concern right why pascal program not working when i...
Read more

javascript - Ajax jqXHR.status==0 fix error -

-
$.ajax({ url: urlstring, datatype: "json", type: "get", success: function (data) { alert(data); }, error: function (jqxhr, exception) { if (jqxhr.status === 0) { alert('not connect.\n verify network.'); } else if (jqxhr.status == 404) { alert('requested page not found. [404]'); } else if (jqxhr.status == 500) { alert('internal server error [500].'); } else if (exception === 'parsererror') { alert('requested json parse failed.'); } else if (exception === 'timeout') { alert('time out error.'); } else if (exception === 'abort') { alert('ajax request aborted.'); } else { alert('uncaught error.\n' + jqxhr.responsete...
Read more