@Html.AntiForgeryToken() renders hidden input <pre class="prettyprint"><code><input name="__RequestVerificationToken" type="hidden" value="GuiNIwhIJZjINHhuS_8FenaFDXIiaE" /> </code></pre> How can I get token value only? Without ugly code like this: <pre class="prettyprint"><code>public static IHtmlString AntiForgeryTokenValue(this HtmlHelper htmlHelper) { var field = htmlHelper.AntiForgeryToken().ToHtmlString(); var beginIndex = field.IndexOf("value=\"") + 7; var endIndex = field.IndexOf("\"", beginIndex); return new HtmlString(field.Substring(beginIndex, endIndex - beginIndex)); } </code></pre>

The anti-CSRF capabilities of MVC actually depend on two tokens: one is a hidden form element, and the other is a cookie. So the Html.AntiForgeryToken() helper doesn't just return an HTML snippet. It also has a side effect of setting this cookie. Note that the cookie value and the form value are not equal since they each encode different pieces of information. If you use the AntiForgery.GetTokens API, this method will return the raw tokens instead of generating an HTML snippet. The parameters to this method are: <ul> <li> oldCookieToken: If the request already contains an anti-CSRF cookie token, provide it here. This parameter may be null.</li> <li> newCookieToken (out parameter): If oldCookieToken was null or did not represent a valid anti-CSRF cookie token, this parameter will be populated with the value that you should put in the response cookie. If oldCookieToken represented a valid anti-CSRF token, then newCookieToken will contain null when the method returns, and you don't have to set a response cookie.</li> <li> formToken (out parameter): This parameter will be populated with the token that should be present in the form body when posting back to the server. This is the value that ends up being wrapped by the hidden input element in a call to Html.AntiForgeryToken().</li> </ul> If you use this API to generate cookie and form tokens manually, you'll need to call the corresponding overload of AntiForgery.Validate in order to validate the tokens.

How to get AntiForgeryToken value without hidden input

Tags:

asp.net-mvc-4

@Html.AntiForgeryToken() renders hidden input

<input name="__RequestVerificationToken" type="hidden" value="GuiNIwhIJZjINHhuS_8FenaFDXIiaE" />

How can I get token value only? Without ugly code like this:

public static IHtmlString AntiForgeryTokenValue(this HtmlHelper htmlHelper) {         var field = htmlHelper.AntiForgeryToken().ToHtmlString();         var beginIndex = field.IndexOf("value=\"") + 7;         var endIndex = field.IndexOf("\"", beginIndex);         return new HtmlString(field.Substring(beginIndex, endIndex - beginIndex));     }

513

asked Feb 17 '13 20:02

Alexey Ryazhskikh

1 Answers

The anti-CSRF capabilities of MVC actually depend on two tokens: one is a hidden form element, and the other is a cookie. So the Html.AntiForgeryToken() helper doesn't just return an HTML snippet. It also has a side effect of setting this cookie. Note that the cookie value and the form value are not equal since they each encode different pieces of information.

If you use the AntiForgery.GetTokens API, this method will return the raw tokens instead of generating an HTML snippet. The parameters to this method are:

oldCookieToken: If the request already contains an anti-CSRF cookie token, provide it here. This parameter may be null.
newCookieToken (out parameter): If oldCookieToken was null or did not represent a valid anti-CSRF cookie token, this parameter will be populated with the value that you should put in the response cookie. If oldCookieToken represented a valid anti-CSRF token, then newCookieToken will contain null when the method returns, and you don't have to set a response cookie.
formToken (out parameter): This parameter will be populated with the token that should be present in the form body when posting back to the server. This is the value that ends up being wrapped by the hidden input element in a call to Html.AntiForgeryToken().

If you use this API to generate cookie and form tokens manually, you'll need to call the corresponding overload of AntiForgery.Validate in order to validate the tokens.

138

answered Oct 03 '22 23:10

Levi

Related questions
                            
                                How to upload bundled and minified files to Windows Azure CDN
                            
                                "System cannot find the file specified" while creating a new MVC4 project
                            
                                Passing a string into a partial view in MVC4
                            
                                Mvc4 bundling, minification and AngularJS services
                            
                                The ObjectContext instance has been disposed and can no longer be used for operations that require a connection. in Reference table
                            
                                Web Api Request.CreateResponse HttpResponseMessage no intellisense VS2012
                            
                                how to create an audit trail with Entity framework 5 and MVC 4
                            
                                Custom Authentication and ASP.NET MVC
                            
                                Submit same Partial View called multiple times data to controller?
                            
                                How can I get a reference to an HttpResponse in ASP.NET MVC?
                            
                                How to make ajax request with anti-forgery token in mvc
                            
                                How do I resolve the error "Attempt by security transparent method 'System.Web.Http.GlobalConfiguration.get_Configuration()
                            
                                ExecuteCore() in base class not fired in MVC 4 beta
                            
                                How to redirect to logon page when session State time out is completed in asp.net mvc
                            
                                ASP.NET Help Pages default home page?
                            
                                ASP.Net MVC resource files are sometimes incorrectly loaded by the ResouceManager
                            
                                Unit Of Work & Generic Repository with Entity Framework 5
                            
                                ASP.NET MVC 4 Mobile Display Modes Stop Working
                            
                                Difference between MvcHtmlString.Create() and Html.Raw()
                            
                                Is it possible to use async/await in MVC 4 AuthorizeAttribute?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With