How to include the @Html.AntiForgeryToken() when deleting an object using a Delete link

john Gu picture john Gu · Apr 23, 2012 · Viewed 12.4k times · Source

i have the following ajax.actionlink which calls a Delete action method for deleting an object:-

 @if (!item.IsAlreadyAssigned(item.LabTestID))
        { 
        string i = "Are You sure You want to delete (" + @item.Description.ToString() + ") ?";
           @Ajax.ActionLink("Delete",
       "Delete", "LabTest",
      new { id = item.LabTestID },

new AjaxOptions
{ Confirm = i,
    HttpMethod = "Post",
    OnSuccess = "deletionconfirmation",
    OnFailure = "deletionerror"
})
} 

but is there a way to include @Html.AntiForgeryToken() with the Ajax.actionlink deletion call to make sure that no attacker can send a false deletion request?

BR

Answer

Darin Dimitrov picture Darin Dimitrov · Apr 23, 2012

You need to use the Html.AntiForgeryToken helper which sets a cookie and emits a hidden field with the same value. When sending the AJAX request you need to add this value to the POST data as well.

So I would use a normal link instead of an Ajax link:

@Html.ActionLink(
    "Delete", 
    "Delete", 
    "LabTest", 
    new { 
        id = item.LabTestID
    }, 
    new { 
        @class = "delete",
        data_confirm = "Are You sure You want to delete (" + item.Description.ToString() + ") ?"
    }
)

and then put the hidden field somewhere in the DOM (for example before the closing body tag):

@Html.AntiForgeryToken()

and finally unobtrusively AJAXify the delete anchor:

$(function () {
    $('.delete').click(function () {
        if (!confirm($(this).data('confirm'))) {
            return false;
        }

        var token = $(':input:hidden[name*="RequestVerificationToken"]');
        var data = { };
        data[token.attr('name')] = token.val();
        $.ajax({
            url: this.href,
            type: 'POST',
            data: data,
            success: function (result) {

            },
            error: function () {

            }
        });

        return false;
    });
});

Now you could decorate your Delete action with the ValidateAntiForgeryToken attribute:

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Delete(int id)
{
    ...
}