Topics: Writing modules
Sep 29, 2011 at 4:15 PM

Is there a way to authenticate the Orchard AntiforgeryToken without authenticating the user?

Sep 29, 2011 at 5:04 PM

What do you mean authenticate the token? I'm not sure what authenticating the user has to do with anti-forgery.

Sep 29, 2011 at 5:41 PM
Edited Sep 29, 2011 at 5:41 PM

Hey Bretrand,

I don't know, I don't see the connection either. I am learning Orchard, and you told me to look at the Media Picker example. The Media Picker example verify the Antiforgery Token by calling Services.Authorizer.Authorize(Permissions.User). This makes Orchard Antiforgery verification coupled with a user log in. It also does an aweful lot of extra compute cycles that is unrelated to cross site attacks.

What do you know about this?

Sep 29, 2011 at 5:50 PM

That code is unrelated to antiforgery.

Sep 29, 2011 at 5:52 PM

Would you care to explain that?

Sep 29, 2011 at 5:57 PM

That call to Authorize is there to check the permissions, not to check the token.

Sep 29, 2011 at 6:11 PM


This is not very productive. I have spent about two weeks learing how to use the Orchard Antiforgery Token because Orchard fails when I use Ajax.BeginForm() or the MVC [ValidateAntiForgeryToken] tag.


Sep 29, 2011 at 7:47 PM

I'm sorry about that. I'm spending a considerable amount of my time trying to use as many users as possible. I unfortunately can't go as deep into each problem as I'd like for lack of time so instead I try to point people in the right direction. In this specific case, I couldn't find the code you're referring to so I have to rely on your description of it, in which I can see no relationship to antiforgery. I'd love to give you a better answer but for that you need to provide more information for me to work with.

Sep 29, 2011 at 9:12 PM

I can maby shed some light on this. We made a "Request bridge" which can forward requests to other servers. One of the things we needed to do was to include the AntiForgery token in each request. So, an ajax call for us looks like this:


POST http://localhost:30322/Url/Bridge/Redirect HTTP/1.1
Cookie: __RequestVerificationToken_L09yY2hhcmRMb2NhbA__=+k+uf5fSp9w/VFzgwkcHldYqi69BRGdQQNKnXgx1ywQ9YONnQp1n5WpYiOgW1mFhW+4RXqmPvhg1/hCTOO0XXUOOuJEIn1fpre5mCr7WEI1vhttG403Nj1vS+o3MCZQAROentqFmgQ3Zm9GYIktYDnpxev9vbjLpHPzkjJVWYYY=;




The import thing is to add the token to the ajax call for posts (we have not done anything else.


In a jquery ajax wrapper we have this:

@Html.AntiForgeryTokenValueOrchard(), which gives the token to validate upon post, and for whatever data passed to the js "proxy" method we use,  data.__RequestVerificationToken = antiforgerytoken; (which is the __RequestVerificationToken seen above).


Hope this helps, have never used "Ajax.BeginForm() or the MVC [ValidateAntiForgeryToken]"