I'm looking to set up AntiForgeryTokens throughout an application.
This works fine on normal forms (with @Html.AntiForgeryToken() helper), as well as AJAX posts by sending the token value in a cookie. However I have a problem in some cases when trying to send the cookie with requests from Kendo controls.
For example I have the following in a view:
Following from advice in other threads, I have the followin Javascript also on the page:
When the page loads, the grid sends a POST to the server to get the activity grid items. There is an attribute that then validates the forgery token:
When the request is sent, the validation fails and I cant work out why. This seems to be a problem for any grid that sends a POST to retrieve the data rather than having the data when the page loads.
What I have noticed is that after the first POST fails validation, if I then run the following javascript in firebug console, the validation passes and the grid is populated:
Any ideas what I'm doing wrong here?
Thanks
This works fine on normal forms (with @Html.AntiForgeryToken() helper), as well as AJAX posts by sending the token value in a cookie. However I have a problem in some cases when trying to send the cookie with requests from Kendo controls.
For example I have the following in a view:
@Html.AntiForgeryToken()
@(Html.Kendo().Grid<
UniTech.ICAP.Extranet.Web.Models.ActivityViewModel.ActivityListItem
>(Model.ActivityList)
.Name("Grid")
.Columns(columns =>
{
columns.Bound(i => i.UserName);
columns.Bound(i => i.ActionString).Filterable(filterable => filterable.UI("actionFilter"));
columns.Bound(i => i.ItemString);
columns.Bound(i => i.RepositoryString);
columns.Bound(i => i.ActionDate).Title("Date").Width(150).Format("{0:dd MMM yyyy HH:mm}");
})
.Sortable()
.Filterable(filterable => filterable
.Extra(false)
.Operators(operators => operators
.ForString(str => str.Clear()
.StartsWith("Starts with")
.IsEqualTo("Is equal to")
.IsNotEqualTo("Is not equal to")
))
)
.Resizable(resize => resize.Columns(true))
.DataSource(datasource => datasource.Ajax().ServerOperation(false).Read(read => read.Action("ActivityGridRead", "Admin")))
.Pageable(p => p.PageSizes(new[] { 10, 50, 100 }).Enabled(true))
)
Following from advice in other threads, I have the followin Javascript also on the page:
$(
function
() {
var
grid = $(
"#Grid"
).data(
"kendoGrid"
);
grid.dataSource.transport.options.read.beforeSend =
function
(req) {
var
header = $(
'[name=__RequestVerificationToken]'
).val();
req.setRequestHeader(
'__RequestVerificationToken'
, header);
};
});
When the page loads, the grid sends a POST to the server to get the activity grid items. There is an attribute that then validates the forgery token:
if
(request.IsAjaxRequest())
{
var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];
var cookieValue = antiForgeryCookie !=
null
? antiForgeryCookie.Value
:
null
;
AntiForgery.Validate(cookieValue, request.Headers[
"__RequestVerificationToken"
]);
}
When the request is sent, the validation fails and I cant work out why. This seems to be a problem for any grid that sends a POST to retrieve the data rather than having the data when the page loads.
What I have noticed is that after the first POST fails validation, if I then run the following javascript in firebug console, the validation passes and the grid is populated:
var
grid = $(
"#Grid"
).data(
"kendoGrid"
).dataSource.read();
Any ideas what I'm doing wrong here?
Thanks