Bypass AntiForgery token validation

Topics: Customizing Orchard, General
May 28, 2014 at 9:34 AM
Hi,

I need to know how to bypass the antiforgery token validation for one method, I know I can "disable" it in the Module.txt file but this is a bit drastic.

So basically I have one route set up that get's redirected to from an external site and because of the AntiForgery token I am getting the following error...

The required anti-forgery cookie “__RequestVerificationToken” is not present.

Thanks!
Developer
May 28, 2014 at 10:06 AM
Unfortunately (and this an ASP.NET MVC thing) the antiforgery token is opt-in only, not opt-out too. If you want a single controller not to have antiforgery validation then you have to set it at the module level, then add the necessary attribute to all controllers to make them use antiforgery validation. The same token can't be used to opt a single controller out.
May 28, 2014 at 10:21 AM
Edited May 28, 2014 at 10:24 AM
Piedone wrote:
Unfortunately (and this an ASP.NET MVC thing) the antiforgery token is opt-in only, not opt-out too. If you want a single controller not to have antiforgery validation then you have to set it at the module level, then add the necessary attribute to all controllers to make them use antiforgery validation. The same token can't be used to opt a single controller out.
One of our files:

http://pastebin.com/GBWzmhWG

Ofc there is more than this (obviously) but stating it is an ASP.NET thing.. :P
Developer
May 28, 2014 at 10:26 AM
I'd be glad to be wrong but the System.Web.Mvc.ValidateAntiForgeryTokenAttribute is only opt-in and to my knowledge there is no other attribute that you could use to opt out. Care to share the rest of the code to show that it's possible by 3rd party code from an attibute?
May 28, 2014 at 10:29 AM
Piedone wrote:
I'd be glad to be wrong but the System.Web.Mvc.ValidateAntiForgeryTokenAttribute is only opt-in and to my knowledge there is no other attribute that you could use to opt out. Care to share the rest of the code to show that it's possible by 3rd party code from an attibute?
I don't see that used anywhere (ValidateAntiForgeryTokenAttribute) @ 1.7.3?

I just patched AntiForgeryAuthorizationFilter so that it checks for my custom attribute and if found it disables the check.
Developer
May 28, 2014 at 10:35 AM
It's not used anywhere built-in but ValidateAntiForgeryTokenAttribute is the attribute you can use to add antiforgery validation to a controller in a module where you have validation turned off.

Have you or would you open an issue about this? Would be a nice addition to the core.
May 28, 2014 at 10:36 AM
Piedone wrote:
It's not used anywhere built-in but ValidateAntiForgeryTokenAttribute is the attribute you can use to add antiforgery validation to a controller in a module where you have validation turned off.

Have you or would you open an issue about this? Would be a nice addition to the core.
I'll see if I can get to doing that today.
May 28, 2014 at 12:30 PM
@AimOrchard, I get the idea but do I override the OnAuthorization(), cause it looks like if I want to do that I need to add the filter in the global.asax file which is not stored in my project/module but orchard itself.

Do you have a further sample code for me?
May 28, 2014 at 12:52 PM
scullyG wrote:
@AimOrchard, I get the idea but do I override the OnAuthorization(), cause it looks like if I want to do that I need to add the filter in the global.asax file which is not stored in my project/module but orchard itself.

Do you have a further sample code for me?
What I did was patch Orchard itself so yeah, I can't give you a solution that doesn't require patching orchard.
May 29, 2014 at 8:47 AM
Developer
May 29, 2014 at 10:18 AM
Thank you!