View Full Version : [CLOSED] Cross-site Request Forgery with DirectMethods

Jan 28, 2015, 8:06 PM
Is there any built-in security prevention for cross-site request forgery when using shared / static DirectMethods? We have an anti-forgery token on every page that we validate against on postbacks. Now with shared / static DirectMethods, it bypass submitting form data so we can't validate that token. I would like a central way to validate against CSRF without modifying all existing DirectMethods to also send the token as a parameter to the method. Maybe somehow always inject the anti-forgery token to the header of the ajax request?

Jan 29, 2015, 2:19 PM

Maybe you can add the following code to your application. It allows requestID parameter to be sent along the way during directmethod calls.

<head runat="server">
<script type="text/javascript">
var token = 'my token';
Ext.net.DirectEvent.extraParams = { requestID: token };

Hope it helps.