How can I supply an AntiForgeryToken when posting JSON data using $.ajax?

asp.net-mvc ajax json antiforgerytoken
HerbalMart picture HerbalMart · May 25, 2010 · Viewed 72.3k times · Source

I am using the code as below of this post:

First I will fill an array variable with the correct values for the controller action.

Using the code below I think it should be very straightforward by just adding the following line to the JavaScript code:

data["__RequestVerificationToken"] = $('[name=__RequestVerificationToken]').val();

The <%= Html.AntiForgeryToken() %> is at its right place, and the action has a [ValidateAntiForgeryToken]

But my controller action keeps saying: "Invalid forgery token"

What am I doing wrong here?

Code

data["fiscalyear"] = fiscalyear;
data["subgeography"] = $(list).parent().find('input[name=subGeography]').val();
data["territories"] = new Array();

$(items).each(function() {
    data["territories"].push($(this).find('input[name=territory]').val());
});

    if (url != null) {
        $.ajax(
        {
            dataType: 'JSON',
            contentType: 'application/json; charset=utf-8',
            url: url,
            type: 'POST',
            context: document.body,
            data: JSON.stringify(data),
            success: function() { refresh(); }
        });
    }

Answer

Ken Q picture Ken Q · Jun 24, 2014

You don't need the ValidationHttpRequestWrapper solution since MVC 4. According to this link.

  1. Put the token in the headers.
  2. Create a filter.
  3. Put the attribute on your method.

Here is my solution:

var token = $('input[name="__RequestVerificationToken"]').val();
var headers = {};
headers['__RequestVerificationToken'] = token;
$.ajax({
    type: 'POST',
    url: '/MyTestMethod',
    contentType: 'application/json; charset=utf-8',
    headers: headers,
    data: JSON.stringify({
        Test: 'test'
    }),
    dataType: "json",
    success: function () {},
    error: function (xhr) {}
});


[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
public class ValidateJsonAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext == null)
        {
            throw new ArgumentNullException("filterContext");
        }

        var httpContext = filterContext.HttpContext;
        var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName];
        AntiForgery.Validate(cookie != null ? cookie.Value : null, httpContext.Request.Headers["__RequestVerificationToken"]);
    }
}


[HttpPost]
[AllowAnonymous]
[ValidateJsonAntiForgeryToken]
public async Task<JsonResult> MyTestMethod(string Test)
{
    return Json(true);
}

Related questions

Send JSON data via POST (ajax) and receive json response from Controller (MVC)

I created a function in javascript like that: function addNewManufacturer() { var name = $("#id-manuf-name").val(); var address = $("#id-manuf-address").val(); var phone = $("#id-manuf-phone").val(); var sendInfo = { Name: name, Address: address, Phone: phone }; $.ajax({ type: "POST", url: "/Home/Add", dataType: "json", success: function (…

Read More
ASP.NET MVC controller actions that return JSON or partial html

I am trying to create controller actions which will return either JSON or partial html depending upon a parameter. What is the best way to get the result returned to an MVC page asynchronously?

Read More
In MVC, how do I return a string result?

In my AJAX call, I want to return a string value back to the calling page. Should I use ActionResult or just return a string?

Read More