Base solution for your next web application
Open Closed

ApplicationService and AntiForgery ? #2282


0
korigoth created

Hey,

i've read the documentation <a class="postlink" href="http://www.aspnetboilerplate.com/Pages/Documents/XSRF-CSRF-Protection">http://www.aspnetboilerplate.com/Pages/ ... Protection</a> and i've check the section about WebAPI.

Does it refer to controller in the WebAPI project for the protection or the Services in the Application Layer are also protected by the AntiForgery ?

because i tried to use the abp.services.app.myservice.method(data) without any @Html.AntiForgeryToken() and it worked!

So i was not sure about if it was a normal behaviour?


5 Answer(s)
  • 1
    ismcagdas created
    Support Team

    Hi,

    Can you check request headers on Google Chrome's developer console's network tab and see if there is a request header X-XSRF-TOKEN ? AppServices should be protected as well.

  • 0
    korigoth created

    yea there is

    X-Requested-With:XMLHttpRequest X-XSRF-TOKEN: tokenvalue

    so i doesn't need to put the @Html.AntiForgeryToken() in my AJAX View?

  • 0
    ismcagdas created
    Support Team

    Hi,

    It seems like token is sent to appService, this is expected behaviour. Probably there must be @Html.AntiForgeryToken() somewhere in your layout file, you don't need to put it in all of your views since layout contains it.

  • 0
    korigoth created

    You are right, i have this in my _layout

    @{
        SetAntiForgeryCookie();
    }
    

    How my mobile native app will know about this token ? How do i create the token in my mobile native app to send it to AppService or WebAPI Controller ?

  • 0
    ismcagdas created
    Support Team

    Hi,

    If you are using MVC 5.x, you don't need to send anti forgery token from mobile app. If you are using ASP.NET Core, you need to remove anti forgery validation from your web app. We will create a new attribute to support it, see <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1680">https://github.com/aspnetboilerplate/as ... ssues/1680</a> and <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1762">https://github.com/aspnetboilerplate/as ... ssues/1762</a>