AntiforgeryToken post in Angular.js

Topics: Core, Customizing Orchard
Dec 6, 2013 at 10:23 PM
I'm trying to do a POST in an angular application in Orchard but I keep running into the "The required anti-forgery form field "__RequestVerificationToken" is not present." error.

I've tried generating the token in my razor view and passing that in the data body when I do the post, but Orchard never recognizes the token. I have verified that it is present in the request payload as well.

here is the token being generated in my view:
@using (Script.Foot()) {
        appcreate.constant("AppSettings", {
            APIUrl: '@Url.Content("Create")',
            OrchardToken: '@Html.AntiForgeryTokenValueOrchard()'
here is the POST in my angular service:
    self.CreateApplication = function (app) {
        var defer = $q.defer();
        var dataObj = app;

        //post the data here and add the antforgery token
            url: AppSettings.APIUrl + "/CreatePOST?",
            method: "POST",
            data: {
                model: dataObj,
                __RequestVerificationToken : AppSettings.OrchardToken
            dataType: "json",
            headers: {'Content-Type': 'application/json; charset=utf-8'}
        .success(function (data) {
        .error(function (error) {
        return defer.promise;
The dataObj in the POST above is an object that looks like this:
    self.Application = {
        Id : 0,
        Name : "",
        Url: "",
        Active: true,
        IsTracked: true,
        Description: ""
Here is the controller action I am trying to post to:
        [HttpPost, ActionName("Create")]
        public JsonResult CreatePOST(Application model)
            var response = _appService.Create(model);
            return Json(response == null ? new Application() : model);
I also know that there is a setting to enable or disable antiforgery for the entire module, but it seems to have no effect. Currently it is set to "AntiForgery: disabled" but I have also tried "AntiForgery: enabled" with no difference.

I've also tried putting the token in the request header and query string but neither worked. What am I doing wrong? I out of ideas on how I can pass the token in a way for Orchard to recognize it.
Dec 9, 2013 at 4:10 AM
Has anyone else ran into this? Maybe I'm not understanding how the Anti forgery token is used in Orchard. It just needs to be generated in the view via the @Html.AntiForgeryTokenValueOrchard() helper then passed to the controller in the body of the POST request correct?
Dec 9, 2013 at 5:53 AM
That is, lose the content type: json from the ajax post.

I would also recommend using url.action() instead of url.content() with action name Create, not CreatePost instead of adding CreatePost in the client script, since there is already an ActionName("Create") attribute for the action method.

Dec 9, 2013 at 3:49 PM
Thanks for the help. I took your advice and renamed the action and and used URL.Action() in the view. I tried both removing the content type header from my code and explicitly changing it to be form encoded but neither worked. It could be something with the way the HTTP module in Angular submits posts or something. I'm not sure.

Either way for now I was able to just disable the validation check in the module.txt file.

Dec 10, 2013 at 2:34 AM
You should not disable the anti-forgery token. Use your browser's developer tools to visualize what's being sent to the server.
Mar 24 at 3:40 AM
I'm having the exact same issue right now. Everything is fine with jQuery Ajax post but not AnguarJS post.

I guess the problem is caused by different post data structure AngularJS is using.

In jQuery the post data contained in HTTP body is like:
whereas in AngularJS it's like:
And from the source of this link:

It says by default, mvc will check for Request.Form["__RequestVerificationToken"], which is missing from the AnguarJS post.
Mar 24 at 9:03 AM
I ran into this problem a few months back. It took me days to fix this issue, because the "antiforgery token missing" error is very misleading. Actually, the problem is not with the antiforgery token, but with the Ajax request format.

Just remove the following statement from your ajax request:
headers: {'Content-Type': 'application/json; charset=utf-8'}
It worked for me and I am pretty much sure it will work for you. If you are still facing the same problem then please view the code in Orchard where they are making Ajax calls and try to make your Ajax request look like theirs Ajax request.

For example, My Ajax request looks like following with simple jQuery and it works just fine:
        url: url,
        type: "POST",
        async: false,
        data: jsonObject,
        dataType: "json",
        success: function (data) {
          // some code
Hope it helps.