Orchard Anti-Forgery Exception

Topics: Writing modules
Sep 13, 2011 at 1:01 PM
Edited Sep 13, 2011 at 5:36 PM

Why would this code cause an anti-forgery error when the user is logged in? An exception is thrown whether the token is comment out or not.

    -------------------- View --------------------------------------------

    <form method="post" id="ChatForm" action="/WebAcre.Chat/Home/Index" >

        @*Html.AntiForgeryToken()*@

        <fieldset>
        <legend>Type Message</legend>
            <table style="width:100%;">
            <tr>
            <th>
                <input id="MessageId" name="MessageName" style="width:90%;" type="text" />
            </th>
            <th>
                <input type="submit" value="Send"/>
            </th>
            </tr>
            </table>
        </fieldset> 
    </form>

    -------------------- Controller ---------------------------------------
       
    [AcceptVerbs(HttpVerbs.Post)]
    //[ValidateAntiForgeryToken]
    public ViewResult Index(FormCollection form)
    {
        myChat.Add( ... );
        return View();
    }

    ------- Exception thrown at AntiForgeryAuthorizationFilter.cs ------------

    namespace Orchard.Mvc.AntiForgery {
    [UsedImplicitly]
    public class AntiForgeryAuthorizationFilter : FilterProvider, IAuthorizationFilter {

        ...

        public void OnAuthorization(AuthorizationContext filterContext) {

        ...

        var siteSalt = _siteService.GetSiteSettings().SiteSalt;
        var validator = new ValidateAntiForgeryTokenAttribute {Salt = siteSalt};
-Ex-> validator.OnAuthorization(filterContext);

-Throws -> A required anti-forgery token was not supplied or was invalid.

Sep 13, 2011 at 6:33 PM

If I comment out the line //validator.OnAuthorization(filterContext); things work as it suppose to. Is this a bug or am I missing something?

Mario

Coordinator
Sep 13, 2011 at 6:37 PM

Create the form with

@using (Html.BeginFormAntiForgeryPost()) {

Sep 14, 2011 at 1:20 PM
bertrandleroy wrote:

Create the form with

 

@using (Html.BeginFormAntiForgeryPost()) {


Thanks.

Jan 29, 2012 at 11:35 AM
Edited Jan 29, 2012 at 11:36 AM

If you need to route your form to somewhere else (another controller for example), use Url.Action for the first argument i.e.:

 

        using (Html.BeginFormAntiForgeryPost(Url.Action("Index", "CONTROLLER", new {Area = "NAMESPACE"}), FormMethod.Post, new {id = "someForm"}))