Open apolun opened 9 years ago
I want to share a solution for the problem of MVC controllers when working with JSON and antiforgery requests to server.
What is the problem exactly you are trying to solve ?
I believe there is a code comment mentioning the word "hack". This solution sends the antiforgery token via an http header so the "hack" can go. I think it's clever (in a positive sense).
@sebastienros The problem is in binding of Json and our Models when working with anitforgery tokens Specially when you try to send a collection of objects When you want to update your model with ajax There are solutions available something like this http://ryankeeter.com/ajax-and-anti-forgery-tokens-in-orchard-cms is work fine when you define antiforgerytoken in your model which I mark as bad practice specially when you try to update a collection of objects forexample list of persons in the example But I only append "one if" for ajax request to validate our Request and after that Everything works fine No change in our model no worry about sending arrays of objects and bindings and life is beautiful :)
@apolun I had to also use your version for MVC 4 but I didn't change the core just overrode using suppressDependency but for each new version of orchard there is a new version of AntiForgeryAuthorizationFilter so I too would like this in the master branch
The recommended solution has been posted on StackOverflow http://stackoverflow.com/questions/9029402/orchard-cms-ajax-anti-forgery-token-when-logged-in/9039504#9039504
Thanks but some more hours retesting this approach. This approach as stated above, does not work with a json model
I understand the issue.
The solution you proposed has a flaw though. If someone is already using the form body to pass the AFT during an ajax call, then your code would not test it. Hence we need to check the presence of the value in the header, otherwise fallback to the standard validation.
Also might be interesting to see what options are available in ASP.NET Core about the cookie names. I know Angular is using a specific header name by default. we might want to support changing the header name too by configuration.
And then we might probably update the documentation and the SO answer as this is a better technique.
Hello everyone, after hours of trying to override Orchard's default AntiForgery filter without changing the source I found this blog post that saved me from further stress, suggesting the use of the action filter [ValidateAntiForgeryTokenOrchard(false)] https://weblogs.asp.net/bleroy/opting-out-of-anti-forgery-validation-in-orchard
Hi to all I want to share a solution for the problem of MVC controllers when working with JSON and antiforgery requests to server. First of all I get the exceptions about 'RequestVerificationToken' There are several hacks that we could do to send these requests such as removing content type from ajax config or send objects and serialize and deserialize them from an array of string but Here is my solution with a few line of code in 'AntiForgeryAuthorizationFilter ' class and hope someone commit this change to master branch Just search for 'AntiForgeryAuthorizationFilter' class and change the OnAuthorization to this
and in ajax request :