XSRF (CSRF) Form Posting Issues With Anti-Forgery Token

Topics: General, Troubleshooting
Feb 26, 2011 at 10:13 PM

Hi Orchard People,

I've been evaluating Orchard for a few weeks and want to thank the core team and all the contributors that have made the project what it is to date.

My question I'd like to throw out there is an issue I'm having setting up anti-forgery for Cross Site Request Forgery attacks.  Here's what I've done so far-

 

--- Index.cshtml ---

@using (Html.BeginForm("Index", "ClientArea"))
       {
           @Html.AntiForgeryToken()

           // form stuff..

           ....

       }

 

--- ClientAreaController.cs ---

        [HttpGet]    
        public ActionResult Index() {

            if (User.Identity.IsAuthenticated)
            {

                return View("Index", new SWClientArea.ViewModels.ClientRegSiteAViewModel();

               ....

            }

            ...

        }

        [HttpPost]
        [ValidateAntiForgeryToken]
        public ActionResult Index(ClientRegSiteAViewModel model)
        {
            if (User.Identity.IsAuthenticated)
            {
                // do something useful..
               
                // some filler code..  redirect to another page..
                return RedirectToAction("Index");
            }

            return View("NotAuthorized");
        }

 

--- Web.config ---

   ...

   <machineKey validationKey="dsfsaf.." ... />

   ...

 

The form displays, fill it in, submit, and I get a token error.

A required anti-forgery token was not supplied or was invalid.

According to what I researched, I have all the necessary plumbing-

1. use @Html.AntiForgeryToken() in the form

2. decorate controller post action where form is posting to with [ValidateAntiForgeryToken] attribute.

3. configure <machineKey> in Orchards Web.config

I also restarted WebMatrix server and cleared out "__RequestVerificationToken_Lw__" cookie in my localhost folder to make sure there weren't any old cookies laying around.

 

Any ideas?  I turned off AntiForgery in my module temporarily so I can continue developing.

Sasha

Feb 26, 2011 at 11:13 PM

 

Here's the versions I'm currently using if it helps any-

Orchard 1.0.20.0

Microsoft ASP.NET MVC 2

Microsoft ASP.NET MVC 3

Microsoft ASP.NET Web Pages

IIS 7.5 Express

Microsoft WebMatrix

Microsoft .NET Framework 1.1

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft .NET Framework 4 Multi-Targeting Pack

Feb 28, 2011 at 6:42 PM

Some more info on the issue I'm having with setting up Anti CSRF -

So I restart WebMatrix server and clear out browser cookies.  The request verification cookie is set and subsequent request provide the cookie in the header.

Set-Cookie   
__RequestVerificationToken_Lw__=Hxdr89Tntyvm564Xs3j2Q....


Cookie
__RequestVerificationToken_Lw__=Hxdr89Tntyvm564Xs3j2Q....


Form hidden token rendered from Get request
<input name="__RequestVerificationToken" type="hidden" value="/GMIuDW+btfMIbznOayetH7cACNDJ/ZsmTFqrW1....


When the Form is Posted, shouldn't the cookie __RequestVerificationToken_Lw__ and the form hidden field __RequestVerificationToken values be the same?


If yes, why are they different?

I came across an article from Microsoft on installing / publishing Orchard.

http://www.microsoft.com/web/post/installing-and-publishing-orchard-using-webmatrix

In the walkthrough, the Orchard Get Started page shows a prompt for "..need to define MachineKey value in your web.config file..."

My installation never prompted me for this.  Did the installation process change and does Orchard gen a key on its own that I should use for the machinekey?

Anyone out there had this problem and solved it, it would be great to hear from you.

Thanks,

Sasha

Aug 15, 2011 at 11:23 PM

Did you ever resolve this problem?  I am encountering the same issue.

Coordinator
Aug 16, 2011 at 12:33 AM

You should use Html.BeginFormAntiForgeryPost() instead. You can get a huge number of examples accross Orchard views. It will generate a Form with a valid anti forgery token field, and automatically validated by Orchard views.

Aug 18, 2011 at 11:20 PM

@rmisiak - Yes, I am using.. @using (Html.BeginFormAntiForgeryPost()) {... which resolved the issue.

@sebastienros - Thanks

Hope this helps others.

Aug 23, 2011 at 4:23 AM

Html.BeginAntiForgeryPost() didn't work for me either at first (neither did Html.AntiForgeryTokenOrchard()).  I found that the problem was was because my Get method was returned with http, and my Post method had RequireHttps.  Making both https solved my issue.