PDA

View Full Version : [CLOSED] Cross-site Request Forgery with DirectMethods



jchau
Jan 28, 2015, 7:06 PM
Is there any built-in security prevention for cross-site request forgery when using shared / static DirectMethods? We have an anti-forgery token on every page that we validate against on postbacks. Now with shared / static DirectMethods, it bypass submitting form data so we can't validate that token. I would like a central way to validate against CSRF without modifying all existing DirectMethods to also send the token as a parameter to the method. Maybe somehow always inject the anti-forgery token to the header of the ajax request?

Dimitris
Jan 29, 2015, 1:19 PM
Hi,

Maybe you can add the following code to your application. It allows requestID parameter to be sent along the way during directmethod calls.


<head runat="server">
<title></title>
<script type="text/javascript">
var token = 'my token';
Ext.net.DirectEvent.extraParams = { requestID: token };
</script>
</head>

Hope it helps.