Hey,
i've read the documentation <a class="postlink" href="http://www.aspnetboilerplate.com/Pages/Documents/XSRF-CSRF-Protection">http://www.aspnetboilerplate.com/Pages/ ... Protection</a> and i've check the section about WebAPI.
Does it refer to controller in the WebAPI project for the protection or the Services in the Application Layer are also protected by the AntiForgery ?
because i tried to use the abp.services.app.myservice.method(data) without any @Html.AntiForgeryToken() and it worked!
So i was not sure about if it was a normal behaviour?
5 Answer(s)
-
1
Hi,
Can you check request headers on Google Chrome's developer console's network tab and see if there is a request header X-XSRF-TOKEN ? AppServices should be protected as well.
-
0
yea there is
X-Requested-With:XMLHttpRequest X-XSRF-TOKEN: tokenvalue
so i doesn't need to put the @Html.AntiForgeryToken() in my AJAX View?
-
0
Hi,
It seems like token is sent to appService, this is expected behaviour. Probably there must be @Html.AntiForgeryToken() somewhere in your layout file, you don't need to put it in all of your views since layout contains it.
-
0
You are right, i have this in my _layout
@{ SetAntiForgeryCookie(); }How my mobile native app will know about this token ? How do i create the token in my mobile native app to send it to AppService or WebAPI Controller ?
-
0
Hi,
If you are using MVC 5.x, you don't need to send anti forgery token from mobile app. If you are using ASP.NET Core, you need to remove anti forgery validation from your web app. We will create a new attribute to support it, see <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1680">https://github.com/aspnetboilerplate/as ... ssues/1680</a> and <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1762">https://github.com/aspnetboilerplate/as ... ssues/1762</a>
