I have an AJAX form that I wish to be protected with the CSRF TOKEN on submit.
My question is, How do I validate it in my action?
I can successfully send it over via my AJAX call but the problem is validating it on my action.
I know that
$request->checkCSRFProtection();
Doesn't work since it is for the link_to function.
Is there a way for me to validate it on my action?
Any advice would be greatly appreciated.
Thanks!
Related
I have a WordPress page that I built before I learned Rails. On the page there is a form. I want to send the form data to a Rails route. But i get an invalid authenticity token error. How do I satisfy rails with an authenticity token since I understand that they are created by the Rails app itself and therefore would never exist outside of Rails?
Since this sounds like a separate app that you want to use to post data to a rails endpoint, you probably don't care about CSRF issues for the controller action that handles this. You could disable the authenticity token verification for your controller action with:
# inside your controller class
skip_before_action :verify_authenticity_token, only: [:your_wordpress_action]
I have a Project model. There's one-to-many association with the Project model and the Devise User model. I want the users to perform ajax login using Devise before submitting the Projects form data.
The Ajax login works fine. But, after the login when I try and submit the Projects form I get an authenticity token error. I understand that this is due to the change of session token change. But I wonder if there's any way to maintain this kind of user flow?
I think I fixed it with some simple jQuery code. I basically needed to replace the existing authenticity token on the parent form with the new one after sign in. Previously had enabled the Devise session method to respond to js format and had the file /devise/sessions/create.js.erb.
On the same file I had to append the following jQuery code to replace the existing authenticity token on the form with the new one generated after logging in.
$("input[name='authenticity_token'").val("<%= form_authenticity_token %>");
I have a Rails 3 app and I am using Warden for authentication.
It works fine but when I try to use AJAX(POST) access one of the controller the application log out my account and ask me to log in again.
This is because of the rails CSRF token validation. There are a few different ways to deal with this:
Hacky, dirty shortcut - just make the AJAX call use HTTP GET instead of POST. GET will not look for CSRF token by default
Another dirty shortcut - turn off CSRF validation for this particular action in your controller
protect_from_forgery :except => :create
Properly implement CSRF token with AJAX calls, there are many guides out there, for example this one or this one
I want to use the ValidateAntiForgeryToken but... I want to use it only on actions
that i do a regular post to. and not ajax with json. because regularly an attacker would be stopped by the cross domain restriction. my question is so:
if i have an action which i know i only call with posting JSON in AJAX and in which case the antiforgerytoken doesn't work , so i want to make sure the request is really an ajax request which means its really from my site , how can i do that in ASP.Net MVC 2?
so my general idea is to: put the ValidateAntiForgeryToken attribute on all actions with regular post. and to validate that a post is really an ajax post in all other acitons
so how can I make sure that a post to an action is really AJAX and not just a regular post?
thanks
You would have to write your own ValidateAntiForgeryTokenAttribute.
I would just take the source of the existing attribute and copy it into your won class then modify it so that OnAuthorization method checks the "filterContext.RequestContext.HttpContext.Request.IsAjaxRequest" and only performs the CSRF validation if that is false.
You also can easily attach the CSRF token to your AJAX requests, which I would say would be the better solution to your problem
I have an HTML form in MVC ASP.NET which the user fills out and the request goes to the server [AJAX] then we send a mail them to inform them. I use the hidden key to store information on the page.
I find that someone changed the key and then clicked then it's a problem that the mail go to other who are unknown for this case.
How can I be sure that nobody changes the hidden key and request is valid. The thing I want to do that HTML. antioforeignkey who is suitable for that.
But how can I implement antiforeignkey when I send AJAX request to server.
Are there any tricks to solve this problem in MVC?
Check out this link: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
This link will help with AntiForgeryToken and Ajax calls: http://blogs.us.sogeti.com/swilliams/2009/05/14/mvc-ndash-using-antiforgerytoken-over-ajax/
Be sure to add #Html.AntiForgeryToken() to your form then you can use jQuery to pull that value. With the value you can then add it to the data attribute of your jQuery Ajax call.
var token = $('input[name=__RequestVerificationToken]').val();