Menu
I'm creating a page that makes multiple AJAX form posts without a page refresh.
I would like to use the ASP.NET MVC HTML.AntiForgeryToken() helper to secure the form against CSRF attacks. I think that each form on the page can share the same token, but will it allow multiple requests with the same token? If not is there a way to get a new token or some other way to secure the forms?
670
You can share the same token. Of course, as a general rule, it's highly recommended to wrap your Ajax calls in a unified method that concatenates the CSRF token to the request (be it GET or POST although POST is safer and much more correct from architectural perspective), so when you make Ajax calls you focus on the business input values only, and don't need to worry about CSRF.
Edit: Read this nice post & sample of auto-wrapping Ajax for CSRF protection using jQuery 1.5 and up: http://www.codethinked.com/aspnet-mvc-ajax-csrf-protection-with-jquery-15
76
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
