I have an igGrid where i use remote paging/filtering. On databind, I'm adding onto "extraParams", however on my ASP.Net MVC Controller action I need to have the "__RequestVerificationToken" in the form data so the "ValidateAntiForgeryToken" attribute will work. These parameters are only being put in the "request body". How can I get them to work with the "ValidateAntiForgeryToken" attribute?
dataBinding: function (evt, ui) { ui.dataSource.settings.urlParamsEncoded = function (item, params) { var myParams = { id: viewModel.Id() , __RequestVerificationToken: viewModel.AntiForgeryToken() }; params.extraParams = myParams; }; }
Hello Justin,
Thank you for posting in our forum.
Providing me with some more details regarding your scenario would be very appreciated and would allow me to give you a more precise answer:
If you need any additional assistance, feel free to contact me.
It's being added with an ASP.Net MVC helper function:
@Html.AntiForgeryToken()
Then I grabbed the value with jQuery:
var antiForgeryToken = $("[name='__RequestVerificationToken']").val();
I did verify that there is a value being passed in, however it's in the "Request Payload" and not "Form Data" I set the "responseContentType" to pass as "application/x-www-form-urlencoded; charset=UTF-8", but then it can't be deserialized
As this scenario is not supported out-of-the-box by the igDataSource and the igGrid, I would suggest that you use the following workaround:
There is an internal method _remoteData that the igDataSource uses. It contains some of the settings that would be used later for the ajax call to the server. Overriding its prototype would allow you to change these settings so that the verification token gets added and the [ValidateAntiForgeryToken] attribute would work correctly in the Controller. There are three things that need to be modified:
I have attached an isolated MVC code sample where the approach described above is demonstrated in code.
antiForgeryTokenMVCGrid.zip
Please note that this is a custom solution and we cannot guarantee it would work for every possible scenario. Also, there is one drawback that has to be considered: the [GridDataSourceAction] attribute would not work with this workaround – meaning that if you use it in the Controller for handling the remote Filtering and Paging you mentioned, they would have to be handled manually instead.
More information on handling remote features manually might be found here: https://www.igniteui.com/help/handling-remote-features-manually
Thanks for your reply. Perhaps it would be considered to be added to the features of the Ignite UI controls as this is a common scenario when trying to prevent CSRF (cross site request forgery).
I have implemented a custom "ValidateAntiForgeryTokenAttribute" to handle this scenario:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)] public sealed class ValidateRequestAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter { public void OnAuthorization(AuthorizationContext filterContext) { string token = GetTokenFromInputStream(filterContext.HttpContext.Request.InputStream); var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName]; AntiForgery.Validate(cookie != null ? cookie.Value : null, token); } }
May I suggest you to log this feature request as a product idea on our Product Ideas site.
There are many benefits to submitting a product idea:
- Direct communication with our product management team regarding your product idea.
- Notifications whenever new information regarding your idea becomes available.
- Ability to vote on your favorite product ideas to let us know which ones are the most important to you. You will have ten votes for this and can change which ideas you are voting for at any time.
- Allow you to shape the future of our products by requesting new controls and products altogether.
- You and other developers can discuss existing product ideas with members of our Product Management team.
Best regards, Martin Pavlov Infragistics, Inc.