Antiforgery token Ext.net Mvc 4.5

  1. #1

    Antiforgery token Ext.net Mvc 4.5

    Hey Guys

    How to add Antiforgery token to this form , tried adding in content & Extra params didnt work
    
    <ext:FormPanel ID="frmUserSettings" ItemID="frmUserSettings" runat="server" BodyPadding="5" AutoDataBind="true"
                Layout="Form">
                
                
                <Items>
                    
                    <ext:TextField ItemID="txtFirstnameUser" ID="txtFirstnameUser" LabelWidth="110" runat="server" FieldLabel="First Name" Width="300" AllowBlank="false" LabelAlign="Right" MaskRe="[A-Za-z0-9]">                    
                    </ext:TextField>
                    <ext:TextField ItemID="txtLastnameUser" ID="txtLastnameUser" LabelWidth="110" runat="server" FieldLabel="Last Name" Width="300" AllowBlank="false" LabelAlign="Right" MaskRe="[A-Za-z0-9]">                    
                    </ext:TextField>
    
    
                    <ext:TextField ItemID="txtEmail" ID="txtEmail" LabelWidth="110" runat="server" FieldLabel="Email" 
                        Width="300" AllowBlank="false" LabelAlign="Right" InputType="Email">                    
                    </ext:TextField>
    
    
                    <ext:TextField InputType="Password" ID="txtpass" ItemID="txtpass" LabelWidth="110" runat="server"
                        FieldLabel="Password" Width="300" LabelAlign="Right" MaskRe="[@^*.$_~!A-Za-z0-9]">
                   
                    </ext:TextField>
                    
                    
                </Items>
               <Content>
                   <%#Html.AntiForgeryToken()%>
               </Content> 
                <Buttons>
                    <ext:Button ID="btnSaveUser" ItemID="btnSaveUser" runat="server" Text="Update" Icon="UserEdit">
                        
                        <DirectEvents>                       
                            <Click Url="/Users/Submit" CleanRequest="true"  FormID="frmuserprof"   >                                                    
                                
                                <ExtraParams>
                                    
                                </ExtraParams>
                            </Click>
                            
                        </DirectEvents>
                    </ext:Button>
    
                </Buttons>
               
            </ext:FormPanel>
  2. #2
    Hello,

    Can you try adding to <Html>.

    <Html>
       <%#Html.AntiForgeryToken()%>
    </Html>
    We will try to reproduce locally to confirm if that works.
    Geoffrey McGill
    Founder
  3. #3
    Thanks Geoffrey , I have tried this with no luck
    I have a controller to which data is posted . with [ValidateAntiForgeryToken]

         [ValidateAntiForgeryToken]
            public ActionResult Submit(FormCollection collection)
            {
    
       }
  4. #4
    Hello @asifsolkar!

    Have you taken a look in two discussions we have here about using this feature with Ext.NET? If not, please do take a look:

    - XSRF AntiForgeryToken with AjaxProxy
    - Cross-site Request Forgery with DirectMethods (the asking person didn't provide a feedback of the suggestion posted).

    There, it is used X.AntiForgeryField(), which is a Razor builder that basically just writes the field. As the anti forgery field is but an ordinary form field, so adding anywhere within a form panel or the page's form tag should be enough.

    The MVC helper mentioned above just extracts the name and value fields of the HTML code generated by AntiForgery.GetHtml().ToString() and binds them to an ext:Hidden component.

    So, something like this should do:

    // extract the .Name and .Value of the anti forgery string from code behind and store in
    // class instance variables like AFName and AFVal
    
    ...
    
    <%-- Either build the field from code behind at once and add it to the form, or define the field in the form itself --%>
    <ext:Hidden ID="AntiForgery" runat="server" Name="<% AFName %>" Value="<% AFVal %>" />
    This should work on your page. If you still having trouble making it work, I'd advise you to try first to make it work on a simple form without Ext.NET (in the same project, preferably) so then you can check from page DOM why the anti forgery field it not getting within the actual page's form. Following the threads linked above, you may also need to manually forward the token depending on the server-side interaction you make.

    Another point about your first attempt is that you used both Items and [/b]Content[/b] tags in an Ext.NET component. This does not work, they are mutually exclusive. So what you can do if you need such a scenario, just keep the formPanel with just Items, then create a ext:Container (or Panel, or anything that could take content within), and then set Content within. So, while you can nest components with either Items or Content, you can't have both in the same component.

    Hope this helps!
    Fabrício Murta
    Developer & Support Expert
  5. #5
    @Fabrico , Thanks for the reply

    I tried this

    The MVC helper mentioned above just extracts the name and value fields of the HTML code generated by AntiForgery.GetHtml().ToString() and binds them to an ext:Hidden component.

    I am able to get the token in to the hidden field.

    Now while using

     <DirectEvents>                       
              <Click Url="/User/Submit" CleanRequest="true"  FormID="frmusersetting"   >                          
                  <ExtraParams>
                     <ext:Parameter Name="__RequestVerificationToken"  Value=App.hdToken.getValue(); />
                  </ExtraParams>
               </Click>
                            
    </DirectEvents>
    I get the following error

    Internal server error 
    status : 500
    Stack Trace: 
    
    
    [HttpAntiForgeryException (0x80004005): The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.]
    Is this approach safe ?

    Thanks
    Asif
  6. #6
    Hello asifsolkar! I suppose you are having some progress with that, right? That'd be great news!

    As for the code block you shared:

    <DirectEvents>                       
              <Click Url="/User/Submit" CleanRequest="true"  FormID="frmusersetting"   >                          
                  <ExtraParams>
                     <ext:Parameter Name="__RequestVerificationToken"  Value=App.hdToken.getValue(); />
                  </ExtraParams>
               </Click>
    </DirectEvents>
    I can't see working. Ever. The way you written it you are passing the App.hdToken.getValue(); string back to the server. This is never going to be the token, I believe, so naturally, it can't decode it.

    What you should pass is the result of the code eval()'d with that string. So, you probably wanted to write:

    <DirectEvents>                       
              <Click Url="/User/Submit" CleanRequest="true"  FormID="frmusersetting"   >                          
                  <ExtraParams>
                     <ext:Parameter Name="__RequestVerificationToken" Value="App.hdToken.getValue();" Mode="Raw" />
                  </ExtraParams>
               </Click>
    </DirectEvents>
    If you look at the first thread I shared with you you'll see several posts with the equivalent MVC syntax so I'm very confident that's the way to go with this issue.

    I hope this helps!

    p.s.: Have you tried to, instead of using this extra parameter, just creating an <ext:Hidden /> field with the "__RequestVerificationToken" name (and the token as its value)? This should normally be submitted on every usual code behind call, except maybe in some Direct Method (not Event, as you used), which are just simpler calls to code behind methods (and not events). So maybe you really don't need the ExtraParams bit on your page.
    Fabrício Murta
    Developer & Support Expert
  7. #7
    Hello Fabrico

    The code below works thanks
    <ExtraParams>
    <ext:Parameter Name="__RequestVerificationToken"  Value="App.hdToken.getValue()"  Mode="Raw"/>
    </ExtraParams>
    I tried including hidden fields as per your suggestion

    Following code throws compile error
    <ext:Hidden Name="__RequestVerificationToken"  Value="App.hdToken.getValue()"  runat="server"  />

    Following code throws error on submit cannot decode
    <ext:Hidden Name="__RequestVerificationToken"  Text="App.hdToken.getValue()"  runat="server"  />
    Please note : mode="Raw" attrib not available for hidden field here.

    I will try to work around with the extra params code . Is this way of passing tokens safe in your opinion ?

    Thankyou for your help on this.
  8. #8
    Hello! What is it you named after hdToken? Is that a component? A field? You can keep its ID as hdToken (so you can access it via App.hdToken) and give it the __RequestVerificationToken name, so that it gets submit as required.

    I was thinking in just having it submitted under that "__Req..." name. It already has the value, so there's no point in creating a new element and having it "copy over" the value. If you need to copy the value anyways then there's no point in having the hidden field at all.

    Having it within extra params may be seen as an increased security also, cause that field is only going to get thru the server if that specific event is triggered... so security-wise, may be a good idea.

    I hope this helps!
    Fabrício Murta
    Developer & Support Expert

Similar Threads

  1. [CLOSED] BADRESPONSE: Unexpected token <
    By PascuV in forum 4.x Legacy Premium Help
    Replies: 2
    Last Post: Jul 28, 2018, 3:32 AM
  2. Unexpected token: ,
    By MartineNavara in forum 2.x Help
    Replies: 3
    Last Post: Oct 18, 2013, 4:23 AM
  3. BADRESPONSE: Unexpected token <
    By ascsolutions in forum 1.x Help
    Replies: 2
    Last Post: Jan 30, 2013, 1:38 PM
  4. [CLOSED] Token is not unique
    By SFritsche in forum 2.x Legacy Premium Help
    Replies: 2
    Last Post: Jan 04, 2013, 8:08 AM
  5. TokenNotUniqueException: Token is not unique
    By sfvaleriano in forum 2.x Help
    Replies: 8
    Last Post: Dec 28, 2012, 7:51 AM

Posting Permissions