FAQ Database Discussion Community


JQGrid able to pass ValidateAntiForgeryToken through the main CRUD controls?

jquery,jqgrid,antiforgerytoken
This is my first time setting up a jqGrid, so I implemented a basic grid but am having a rather difficult time passing the __RequestVerificationToken to my controller. $("#RawMatGrid").jqGrid({ url: "/RawMat/GetRawMats", datatype: 'JSON', mtype: 'GET', colNames: [ 'Item', 'Product', 'Description' ], colModel: [ { name: 'Item', key: true, index: 'Item',...

An unhandled exception of System.InvalidOperationException breaks my MVC App?

c#,asp.net-mvc-5,antiforgerytoken
I am taking the concept of building a OWIN login from a empty MVC and I am just starting to add the part with using my database to login the user after creating a Identity claim to put in the URL. This is my code to create the claim to...

ASP.NET vNext AntiForgeryToken

asp.net-mvc-6,antiforgerytoken
Is @Html.AntiForgeryToken() still required in ASP.NET .NET4.6 vNext? The form decorations have changed to <form asp-controller="Account" asp-action="Login" asp-route-returnurl="@ViewBag.ReturnUrl" method="post" class="form-horizontal" role="form"> From this - @using (Html.BeginForm("Login", "Account", new { ReturnUrl = ViewBag.ReturnUrl }, FormMethod.Post, new { @class = "", role = "form" })) And no longer include this @Html.AntiForgeryToken() The...

Asp.Net MVC Antiforgery validation fails when non-null usernames differ…is that reasonable?

asp.net-mvc,security,cookies,csrf,antiforgerytoken
My question is about the MVC Antiforgery system (described here). Consider a simple app which posts todos to /Todo/Create. The corresponding action method has the ValidateAntiForgeryToken attribute. Consider the following client workflow: User A logs on and goes to the page to create a todo, but doesn't do it yet....

Are anti-forgery tokens necessary on a login page?

security,web,login,csrf,antiforgerytoken
I keep seeing code samples which place anti-forgery tokens on standard username/password login pages. Even the Asp.Net web project template does it. Why? The only system state that is changed is the user's login status, and in order to even make that happen the attacker would need their username and...