Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to include the @Html.AntiForgeryToken() when deleting an object using a Delete link

i have the following ajax.actionlink which calls a Delete action method for deleting an object:-

 @if (!item.IsAlreadyAssigned(item.LabTestID))
        { 
        string i = "Are You sure You want to delete (" + @item.Description.ToString() + ") ?";
           @Ajax.ActionLink("Delete",
       "Delete", "LabTest",
      new { id = item.LabTestID },

new AjaxOptions
{ Confirm = i,
    HttpMethod = "Post",
    OnSuccess = "deletionconfirmation",
    OnFailure = "deletionerror"
})
} 

but is there a way to include @Html.AntiForgeryToken() with the Ajax.actionlink deletion call to make sure that no attacker can send a false deletion request?

BR

like image 338
john Gu Avatar asked Apr 23 '12 00:04

john Gu


People also ask

What does HTML AntiForgeryToken () do?

AntiForgeryToken()Generates a hidden form field (anti-forgery token) that is validated when the form is submitted.

How do I disable AntiForgeryToken?

Anti-forgery token validation is enabled by default in Razor Pages. You can disable validation either globally or on individual pages by using [IgnoreAntiforgeryToken] . You can prevent forms from creating anti-forgery tokens by using asp-antiforgery="false" in the form tag helper.

What is AntiForgeryToken in asp net core?

In ASP.NET Core, @Html. AntiForgeryToken() is applied for preventing cross-site request forgery (XSRF/CSRF) attacks.

What is __ Requestverificationtoken?

TYPE. __RequestVerificationToken. www.grpgroup.co.uk. This is an anti-forgery cookie set by web applications built using ASP.NET MVC technologies. It is designed to stop unauthorised posting of content to a website, known as Cross-Site Request Forgery.


1 Answers

You need to use the Html.AntiForgeryToken helper which sets a cookie and emits a hidden field with the same value. When sending the AJAX request you need to add this value to the POST data as well.

So I would use a normal link instead of an Ajax link:

@Html.ActionLink(
    "Delete", 
    "Delete", 
    "LabTest", 
    new { 
        id = item.LabTestID
    }, 
    new { 
        @class = "delete",
        data_confirm = "Are You sure You want to delete (" + item.Description.ToString() + ") ?"
    }
)

and then put the hidden field somewhere in the DOM (for example before the closing body tag):

@Html.AntiForgeryToken()

and finally unobtrusively AJAXify the delete anchor:

$(function () {
    $('.delete').click(function () {
        if (!confirm($(this).data('confirm'))) {
            return false;
        }

        var token = $(':input:hidden[name*="RequestVerificationToken"]');
        var data = { };
        data[token.attr('name')] = token.val();
        $.ajax({
            url: this.href,
            type: 'POST',
            data: data,
            success: function (result) {

            },
            error: function () {

            }
        });

        return false;
    });
});

Now you could decorate your Delete action with the ValidateAntiForgeryToken attribute:

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Delete(int id)
{
    ...
}
like image 169
Darin Dimitrov Avatar answered Oct 16 '22 22:10

Darin Dimitrov