c# - Get the raw values (not html) from AntiForgeryToken() -

-

this beautiful abstraction lets place @html.antiforgerytoken() in cshtml file magically expanded like;

<input name="__requestverificationtoken" type="hidden" value="jjmhm5kjq/qjsyc4sgifqwwx/wmadmnveghzxxub07bwol84drmqze6k9irvyfsj5vsyqeuixgl4dw4nhsotlwflgytyeczlvrgzbtonxj9m3gvpguv7z6s2ih/klub78gn7fl4gj7kxg62meogczw175evwtmkkj0xrtefd5kcvvyimhny8mt2l+qhltsgl87c9dii42avouuq2gtvfpg==" />

by mvc before page served. page has javascript making ajax calls don't include token though it's been added form. getting expected [httpantiforgeryexception]: required anti-forgery token not supplied or invalid. because don't have token. i'm aware could parse value out of dom shouldn't have to. there other ways of accessing/getting value? clear, mean i'd overload of method returns value string or kind of object has name , value both.

to provide bit more context form , relevant js looks little this;

<form action="/settings" method="post"><input name="__requestverificationtoken" type="hidden" value="jjmhm5kjq/qjsyc4sgifqwwx/wmadmnveghzxxub07bwol84drmqze6k9irvyfsj5vsyqeuixgl4dw4nhsotlwflgytyeczlvrgzbtonxj9m3gvpguv7z6s2ih/klub78gn7fl4gj7kxg62meogczw175evwtmkkj0xrtefd5kcvvyimhny8mt2l+qhltsgl87c9dii42avouuq2gtvfpg==" />    <fieldset>         <h3>user settings</h3>         <ul>             <li>             label for="password">password</label>                 <a href="#" id="change_password" class="changepasswordbutton">edit</a>                 <div id="password_section" class="inlineedit">                     <div>                         <span for="existing_password">current password</span> <input autocomplete="off" class="required" id="existing_password" name="existing_password" type="password" />                     </div>                     <div>                         <span for="new_password">new password</span> <input autocomplete="off" class="required" id="new_password" name="new_password" type="password" />                         <span id="password_strength" />                     </div>                     <div>                         <span for="confirm_password">confirm password</span> <input autocomplete="off" class="required" id="confirm_password" name="confirm_password" type="password" />                     </div>                     <div class="inlinesave">                         <input type="button" value="change" onclick="onpostchangepassword();"/>                         <a href="#" id="cancel_password" class="cancel">cancel</a>                     </div>                 </div>             </li>     // bunch more of these call own onpostchangesetting method

onpostchangepassword() input validation then;

 if(validpwd && validnewpwd && validconfirmpwd && current_pwd != new_pwd){                         // post password change                         var currentajaxrequest = $.ajax({                             type: "post",                             url: "/settings/preferences/changepassword",                             cache: false,                             data: {password: $('#new_password').val(), current: $('#existing_password').val(),confirm: $('#confirm_password').val()},                             success: password_success,                             error: password_error,                             datatype: "json"                         });                         return true;                   }

which ideally (since verbatim in cshtml file) modified this;

data: {password: $('#new_password').val(), current: $('#existing_password').val(),confirm: $('#confirm_password').val(), __requestverificationtoken:@html.antiforgeryvalue() }

tl;dr there way interact antiforgeytoken before it's turned string of html?

you can use code (in example _layout.cshtml) add antiforgery header ajax post requests, or adapt specific request. (code assumes using jquery)

@functions{     private static string tokenheadervalue()     {         string cookietoken, formtoken;         antiforgery.gettokens(null, out cookietoken, out formtoken);         return cookietoken + ":" + formtoken;     } }  <script type="text/javascript">     $(document).ajaxsend(function (event, jqxhr, settings) {         if (settings.type == "post") {                jqxhr.setrequestheader('@validatehttpantiforgerytokenattribute.requestverificationtokenname',                                    '@tokenheadervalue()');         }     }); </script>

on server side these ajax calls, want call the overload of antiforgery.validate takes cookie , form token, enable adding attribute action methods called via ajax (explicitly, or parent controller, or via filter)

[attributeusage(attributetargets.method | attributetargets.class,                 allowmultiple = false, inherited = true)] public sealed class validatehttpantiforgerytokenattribute                                   : filterattribute, iauthorizationfilter  {     public const string requestverificationtokenname = "requestverificationtoken";      public void onauthorization(authorizationcontext filtercontext)     {         if (filtercontext.httpcontext.request.isajaxrequest())         {             validaterequestheader(filtercontext.httpcontext.request);         }         else         {             antiforgery.validate();         }     }      private static void validaterequestheader(httprequestbase request)     {         string cookietoken = string.empty;         string formtoken = string.empty;          var tokenvalue = request.headers[requestverificationtokenname];          if (string.isnullorempty(tokenvalue) == false)         {             string[] tokens = tokenvalue.split(':');              if (tokens.length == 2)             {                 cookietoken = tokens[0].trim();                 formtoken = tokens[1].trim();             }         }          antiforgery.validate(cookietoken, formtoken);     }

Comments

Post a Comment

Popular posts from this blog

python - No exponential form of the z-axis in matplotlib-3D-plots -

-
Image
i have similar problem described in how prevent numbers being changed exponential form in python matplotlib figure : i don't want (in special case) weird scientific formatting of axis. problem different have problem @ z -axis. 2-d plots can use ax.get_yaxis().get_major_formatter().set_useoffset(false) . , there no function ax.get_zaxis() what use format z -axis same way? edit: example: from mpl_toolkits.mplot3d import axes3d import numpy np import sys import matplotlib import matplotlib.pyplot pyplot def func(xi, ti): res = 10e3 + np.cos(ti) * np.sin(xi) return res if __name__ == '__main__': timespacing = 20 timestart = 0 timeend = 1 time = np.linspace(timestart, timeend, timespacing) widthspacing = 50 widthstart = 0 widthend = 3 width = np.linspace(widthstart, widthend, widthspacing) reslist = [] matplotlib.rcparams['legend.fontsize'] = 10 fig = pyplot.figure() ax = fig.gca(projection = '3d...
Read more

php - Best Light server (Linux + Web server + Database) for Raspberry Pi -

-
i install web server database on raspberry pi (little computer). computer has 1gb ram. i want know best combination: linux distribution , web server , dbms run local server multiple users minimal latency, use php on server. , best settings performance , not have bugs (memory usage, disable plugin, disable service, etc)? i thought light debian , lighttpd server , sqlite database. solution? i think lighttpd + sqlite great choice. linux distro, debian @ centos or tiny core linux , although i'm not sure of compatibility pi. obviously, can't go wrong raspbian if want use in production , more stable performance, few more pi's , set them in cluster .
Read more

c# - "Newtonsoft.Json.JsonSerializationException unable to find constructor to use for types" error when deserializing class -

-
i developing app in xamarin android. have splash screen serialize class , pass mainactivity using intent . when try deserialize in mainactivity error message : "serializationexception unable find constructor use types" serialization : void loaddata() { currency currency = new currency(this); intent = new intent(this, typeof(mainactivity)); intent.putextra("currency", newtonsoft.json.jsonconvert.serializeobject(currency)); startactivity(intent); } deserialization : cur = newtonsoft.json.jsonconvert.deserializeobject<currency> (intent.getstringextra("currency")); // error here class constructor : public currency(context context) { thiscontext = context; } i began experiencing problem after added parameter context context constructor. has caused this? how can solve it? possible serialize/deserialize class has parameters? you need have empty constructor in currency class in order deserialize it. ...
Read more