In this article I will explain with an example, how to send AntiForgeryToken with AngularJS AJAX request in ASP.Net Core MVC.
The AntiForgeryToken is used to prevent cross-site request forgery (CSRF) attacks and this article will illustrate how to configure and use the AntiForgeryToken during AngularJS AJAX request in ASP.Net Core MVC.
Configuring the Anti-Forgery Token and JSON Serializer setting
The first step is to configure the Anti-Forgery Token and JSON Serializer settings in the Startup.cs file.
1. Open the Startup.cs class from the Solution Explorer window.
2. Add the following namespaces.
using Microsoft.AspNetCore.Mvc;
using Newtonsoft.Json.Serialization;
3. Then inside the ConfigureServices method, you will have to add the following code which will instruct the program to:
1. Use Newtonsoft JSON for serialization.
2. Add Anti-Forgery Token with specific name to the Form.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc()
.SetCompatibilityVersion(CompatibilityVersion.Version_2_1)
.AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver());
services.AddAntiforgery(o => o.HeaderName = "XSRF-TOKEN");
}
Model
Following is a Model class named PersonModel with two properties i.e. Name and DateTime.
public class PersonModel
{
///<summary>
/// Gets or sets Name.
///</summary>
public string Name { get; set; }
///<summary>
/// Gets or sets DateTime.
///</summary>
public string DateTime { get; set; }
}
Controller
The Controller consists of following two Action methods.
Action method for handling GET operation
Inside this Action method, simply the View is returned.
Action method for handling AngularJS AJAX operation
This Action method handles the AJAX call made from the AngularJS $http service in the View.
Attributes
HttpPost: The HttpPost attribute which signifies that the method will accept Http Post requests.
ValidateAntiForgeryToken: The ValidateAntiForgeryToken attribute is used to prevent cross-site request forgery attacks.
Note: A cross-site request forgery is an attack is done by sending harmful script element, malicious command, or code from the user’s browser.
The object of PersonModel class is received as parameter and the Name property holds the value of the TextBox sent from the View.
Note: The FromBody attribute is used for model-binding the data sent from AngularJS $http service.
Finally, the Current DateTime of the Server is set into the DateTime property and the PersonModel object is returned to the View in JSON format.
public class HomeController : Controller
{
public IActionResult Index()
{
return View();
}
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult AjaxMethod([FromBody] PersonModel person)
{
person.DateTime = DateTime.Now.ToString();
return Json(person);
}
}
View
The View HTML Markup consists of an HTML DIV to which ng-app and ng-controller AngularJS directives have been assigned.
The HTML DIV consists of an HTML TextBox and a Button. The Button has been assigned AngularJS ng-click directive. When the Button is clicked, the ButtonClick function is executed.
The Anti-Forgery Token has been added to View Page using the AntiForgeryToken function of the HTML Helper class.
Inside the ButtonClick function, the $http service is used to make an AJAX call to the Controller’s Action method.
The $http service has following properties and methods.
Properties
1. method – The method type of HTTP Request i.e. GET or POST.
2. url – URL of the Controller’s Action method.
3. datatype – The format of the data i.e. XML or JSON.
4. data – The parameters to be sent to the Controller’s Action method.
5. headers – List of headers to be specified for the HTTP Request.
The value of the Anti-Forgery Token is read from the Hidden Field added by the Html.AntiForgeryToken HTML Helper function and added to the headers property of $http service.
Event Handler
1. success – This event handler is triggered once the AJAX call is successfully executed.
2. error – This event handler is triggered when the AJAX call encounters an error.
The response from the AJAX call is received in JSON format inside the Success event handler of the $http service and the result is displayed using JavaScript Alert Message Box.
@{
Layout = null;
}
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width" />
<title>Index</title>
</head>
<body>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/angularjs/1.3.9/angular.min.js"></script>
<script type="text/javascript">
var app = angular.module('MyApp', [])
app.controller('MyController', function ($scope, $http, $window) {
$scope.ButtonClick = function () {
var antiForgeryToken = document.getElementsByName("__RequestVerificationToken")[0].value;
var post = $http({
method: "POST",
url: "/Home/AjaxMethod",
dataType: 'json',
data: { name: $scope.Name },
headers: {
"Content-Type": "application/json",
"XSRF-TOKEN": antiForgeryToken
}
});
post.success(function (data, status) {
$window.alert("Hello: " + data.Name + ".\nCurrent Date and Time: " + data.DateTime);
});
post.error(function (data, status) {
$window.alert(data.Message);
});
}
});
</script>
@Html.AntiForgeryToken()
<div ng-app="MyApp" ng-controller="MyController">
<input type="text" ng-model="Name" />
<input type="button" value="Get Current Time" ng-click="ButtonClick()" />
</div>
</body>
</html>
Screenshot
Downloads