Base solution for your next web application
Starts in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

ApplicationService and AntiForgery ? #2282


User avatar
0
korigoth created

Hey,

i've read the documentation <a class="postlink" href="http://www.aspnetboilerplate.com/Pages/Documents/XSRF-CSRF-Protection">http://www.aspnetboilerplate.com/Pages/ ... Protection</a> and i've check the section about WebAPI.

Does it refer to controller in the WebAPI project for the protection or the Services in the Application Layer are also protected by the AntiForgery ?

because i tried to use the abp.services.app.myservice.method(data) without any @Html.AntiForgeryToken() and it worked!

So i was not sure about if it was a normal behaviour?


5 Answer(s)
  • User Avatar
    1
    ismcagdas created
    Support Team

    Hi,

    Can you check request headers on Google Chrome's developer console's network tab and see if there is a request header X-XSRF-TOKEN ? AppServices should be protected as well.

  • User Avatar
    0
    korigoth created

    yea there is

    X-Requested-With:XMLHttpRequest X-XSRF-TOKEN: tokenvalue

    so i doesn't need to put the @Html.AntiForgeryToken() in my AJAX View?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    It seems like token is sent to appService, this is expected behaviour. Probably there must be @Html.AntiForgeryToken() somewhere in your layout file, you don't need to put it in all of your views since layout contains it.

  • User Avatar
    0
    korigoth created

    You are right, i have this in my _layout

    @{
        SetAntiForgeryCookie();
    }
    

    How my mobile native app will know about this token ? How do i create the token in my mobile native app to send it to AppService or WebAPI Controller ?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    If you are using MVC 5.x, you don't need to send anti forgery token from mobile app. If you are using ASP.NET Core, you need to remove anti forgery validation from your web app. We will create a new attribute to support it, see <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1680">https://github.com/aspnetboilerplate/as ... ssues/1680</a> and <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1762">https://github.com/aspnetboilerplate/as ... ssues/1762</a>