Aspnetboilerplate: Empty or invalid anti forgery header token

Try adding this in your View:

@{
    SetAntiForgeryCookie();
}

its there already.

Try adding it in your View.

@ktngoykalolo you need to add anti forgery header to request headers of the grid. You can take a look at this example https://www.syncfusion.com/kb/5963/how-to-send-custom-headers-to-server-using-datamanager.

Something like this;
this.model.dataSource.dataSource.headers.push({ abp.security.antiForgery.tokenHeaderName: abp.security.antiForgery.getToken()});

I figured I would have to do something along that line. I will test and let you know.

Hello, I did try as you suggested but it doesn't work. I am suspecting that I am not picking up the token properly I am looking at implementing a work around. Besides the datagrid supports generating an anti forgery token as well but it is not working as well. I am investigating the 2 approach.

BTW : What is the name of the token that ABP generates?

Thanks for the support

@ktngoykalolo you can see the name of the token whe you run "abp.security.antiForgery.tokenHeaderName" on your browser console. If you run "abp.security.antiForgery.getToken()" on the browser console, you can see the value of the token.

You can check the grid's ajax request headers to see if "X-XSRF-TOKEN" is sent or not.

Hello @ismcagdas,
indeed the issue is that the grid does not add that token on the ajax request, I have reached out to their support and they sent me a sample js script to extend the data source manager in order to include the token in the requests. unfortunately it did not work. I am still digging up on my side how to resolve this.
will keep you guys posted when I got progress.

thanks.

Did you try to Intercept XMLHttpRequest?

Since all libraries use JavaScript's native AJAX object, XMLHttpRequest, you can define a simple interceptor to add the token to the header:

(function (send) {
    XMLHttpRequest.prototype.send = function (data) {
        this.setRequestHeader(abp.security.antiForgery.tokenHeaderName, abp.security.antiForgery.getToken());
        return send.call(this, data);
    };
})(XMLHttpRequest.prototype.send);

Hello @acjh,
I have not tried it yet, thank you for the suggestion.
from my discussion with the support, I need to extend the data source manager of the grid so that it includes the token in the requests. I will study how to use the approach you sent.

if I get this right, I will study further how to integrate syncfusion controls with ABP framework, MPA and SPA versions.

Hello I am trying to use the following method :
Configuration.Modules.AbpWeb().AntiForgery.IsEnabled = false;
in the mvc module but it is not working. could you please advise ?

@ktngoykalolo have you put this configuration into the Preinitialize method of your web module ?

Yes I did but the code does not seem to recognize the abpweb code.

Kevin T. Ngoy Kalolo
Sent from my iPhone

From: İsmail ÇAĞDAŞ notifications@github.com
Sent: Friday, March 23, 2018 8:34:31 PM
To: aspnetboilerplate/aspnetboilerplate
Cc: Kevin Tshimanga Ngoy Kalolo; Mention
Subject: Re: [aspnetboilerplate/aspnetboilerplate] Empty or invalid anti forgery header token (#3159)

@ktngoykalolo have you put this configuration into the Preinitialize method of your web module ?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/aspnetboilerplate/aspnetboilerplate/issues/3159#issuecomment-375775936, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADH_LAz-I0BQrF34eWznECGqR_8nGz6lks5thU5HgaJpZM4SbYFH.

Are you working on MVC 5.x or ASP.NET Core ?

MVC 5.x and ABP version 3.1.2. Is there razor method equivalent to the Javascript methods to get the token?

Kevin T. Ngoy Kalolo
Sent from my iPhone

From: İsmail ÇAĞDAŞ notifications@github.com
Sent: Friday, March 23, 2018 8:40:02 PM
To: aspnetboilerplate/aspnetboilerplate
Cc: Kevin Tshimanga Ngoy Kalolo; Mention
Subject: Re: [aspnetboilerplate/aspnetboilerplate] Empty or invalid anti forgery header token (#3159)

Are you working on MVC 5.x or ASP.NET Core ?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/aspnetboilerplate/aspnetboilerplate/issues/3159#issuecomment-375777215, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADH_LMAPlu9-PQIZyA_C9dS5r0ss8G5Gks5thU-RgaJpZM4SbYFH.

@ktngoykalolo yes but apperantly syncfusion grid doesn't use that value at all. I couldn't understand why modifying the request using javascript didn't work for you.

Have you checked the request details on the browser's network tab ? Is the anti forgery token you have added was on the request headers ?

If you can share the javascript code you have tried I can take a look.

From my side I have been able to see the token using your method. I suspect that I am not adding properly the headers in the requests. I am looking at it again. The token exists and I am able to see it.

Kevin T. Ngoy Kalolo
Sent from my iPhone

From: İsmail ÇAĞDAŞ notifications@github.com
Sent: Friday, March 23, 2018 8:47:24 PM
To: aspnetboilerplate/aspnetboilerplate
Cc: Kevin Tshimanga Ngoy Kalolo; Mention
Subject: Re: [aspnetboilerplate/aspnetboilerplate] Empty or invalid anti forgery header token (#3159)

@ktngoykalolo yes but apperantly syncfusion grid doesn't use that value at all. I couldn't understand why modifying the request using javascript didn't work for you.

Have you checked the request details on the browser's network tab ? Is the anti forgery token you have added was on the request headers ?

If you can share the javascript code you have tried I can take a look.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/aspnetboilerplate/aspnetboilerplate/issues/3159#issuecomment-375778941, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADH_LBZ32VTNLqBGsGWbRri5bvSeNqSzks5thVFLgaJpZM4SbYFH.

Can you share a screenshot of it ?

I will share the code. I am on the move. What is the method for looking at the token in razor? The grid can also add headers using C# razor.

Kevin T. Ngoy Kalolo
Sent from my iPhone

From: Kevin Tshimanga Ngoy Kalolo ktngoykalolo@live.fr
Sent: Friday, March 23, 2018 8:49:26 PM
To: aspnetboilerplate/aspnetboilerplate; aspnetboilerplate/aspnetboilerplate
Cc: Mention
Subject: Re: [aspnetboilerplate/aspnetboilerplate] Empty or invalid anti forgery header token (#3159)

From my side I have been able to see the token using your method. I suspect that I am not adding properly the headers in the requests. I am looking at it again. The token exists and I am able to see it.

Kevin T. Ngoy Kalolo
Sent from my iPhone

From: İsmail ÇAĞDAŞ notifications@github.com
Sent: Friday, March 23, 2018 8:47:24 PM
To: aspnetboilerplate/aspnetboilerplate
Cc: Kevin Tshimanga Ngoy Kalolo; Mention
Subject: Re: [aspnetboilerplate/aspnetboilerplate] Empty or invalid anti forgery header token (#3159)

@ktngoykalolo yes but apperantly syncfusion grid doesn't use that value at all. I couldn't understand why modifying the request using javascript didn't work for you.

Have you checked the request details on the browser's network tab ? Is the anti forgery token you have added was on the request headers ?

If you can share the javascript code you have tried I can take a look.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/aspnetboilerplate/aspnetboilerplate/issues/3159#issuecomment-375778941, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADH_LBZ32VTNLqBGsGWbRri5bvSeNqSzks5thVFLgaJpZM4SbYFH.

Thanks. We can check it when you share.
Here is the code for setting anti forgery token in razor view (MVC 5.x), https://aspnetboilerplate.com/Pages/Documents/XSRF-CSRF-Protection#layout-view.

hi @ismcagdas,
here is the sample sent by the support team :
http://www.syncfusion.com/downloads/support/directtrac/200393/ze/EJGrid-1430205935.zip

hi, I just tested an insert method with the disableAntiforgeryToken decorated and it's working.
it proves that the issue is how to add the token.
will give you details soon.

Hello guys,
I am still working on the antiforgery token issue.
I am disucssing with the support to get a javascript code snippet that will properly include the needed token. the one I sent earlier is close enough to what I need.

hello here is a sample of the code sent by the team,
I tried to modify the code to adapt to my requirements.
I am not very strong in Javascript so please understand if you find some errors.

<script type="text/javascript">
    var dmAdaptorUpdate = function (keyField, value, tableName) {
        var res = this.adaptor.update(this, keyField, value, tableName);
        return $.ajax($.extend({
            beforeSend: ej.proxy(this._beforeSend, this)
        }, res));
    }
    var dmAdaptorInsert = function (data, tableName) {
        var res = this.adaptor.insert(this, data, tableName);
        var deffer = $.Deferred();
        $.ajax($.extend({
            beforeSend: ej.proxy(this._beforeSend, this),
            success: ej.proxy(function (record, status, xhr, request) {
                record = function () {
                    if (data.d)
                        data = data.d;
                    return data;
                };
                deffer.resolveWith(this, [{ record: record, dataManager: this }]);
            }, this),
            error: function (e) {
                deffer.rejectWith(this, [{ error: e, dataManager: this }]);
            }
        }, res));

        return deffer.promise();
    }

    //var dmAdaptorRemove = function (dataObj, keyField, value, tableName, query)
    //{
    //    var res = this.adaptor.remove(this, keyField, value, tableName, query);
    //}
    var adaptor = new ej.remoteSaveAdaptor().extend({
        update: function (dm, keyField, value, tableName) {
            //var token = value.__RequestVerificationToken;
            var token = abp.security.antiForgery.getToken();
            delete value['__RequestVerificationToken'];
            return {
                type: "POST",
                url: dm.dataSource.updateUrl || dm.dataSource.crudUrl || dm.dataSource.url,
                data: {
                    __RequestVerificationToken: token,
                    value: value
                }
            };
        },
        insert: function (dm, data, tableName) {
            //var token = value.__RequestVerificationToken;
            var token = abp.security.antiForgery.getToken();
            delete data['__RequestVerificationToken'];
            return {
                type: "POST",
                url: dm.dataSource.insertUrl || dm.dataSource.crudUrl || dm.dataSource.url,
                data: {
                    __RequestVerificationToken: token,
                    value: data
                }
            };
        }
        //remove: function (dm, data, tableName)
        //{
        //    var token = value.__RequestVerificationToken;
        //    delete data['__RequestVerificationToken'];
        //    return {
        //        type: "POST",
        //        url: dm.dataSource.removeUrl || dm.dataSource.crudUrl || dm.dataSource.url,
        //        data: {
        //            __RequestVerificationToken: token,
        //            value: data
        //        }
        //    };
        //}
    })
    function load(args)
    {
        this.model.dataSource.adaptor = new adaptor();
        this.model.dataSource.update = dmAdaptorUpdate;
        this.model.dataSource.insert = dmAdaptorInsert;
        //this.model.dataSource.remove = ;
    }

</script>

Thanks for getting back!

Can this issue be closed as resolved?

hi @acjh ,
please don't close it yet.
please I want you to look at the code and advise if it could work ?

@ktngoykalolo I think the above code is for ASP.NET Core. Can you share your current javascript code for retrieveing data from server the one which works when you add disableAntiforgeryToken attribute to your action ?

@ismcagdas well that is the code that actually works. the issue is with the javascript code. they just sent me some other sample that I am testing now.

the project they have sent is running on ASP.NET MVC 5.x.

@ktngoykalolo "__RequestVerificationToken" header is used in ASP.NET Core, so that is why I think it was for ASP.NET Core.

the update function is working well but the insert not working properly.

@ktngoykalolo can you share the error message ?

hello guys,
still getting 500 Internal Server Error with the UrlInsert method. precisely it is validation errors.

Just a quick question :
if I have an entity that has a one to many relationship, do I have to include the child collection when creating them ?

No, unless you made it [Required].

still getting 500 Internal Server Error with the UrlInsert method. precisely it is validation errors.

Are there any useful error messages on the server side log file ?

I will look at the logs and let you know. the Update method works just great.

Abp.Runtime.Validation.AbpValidationException: Method arguments are not valid! See ValidationErrors for details. at Abp.Runtime.Validation.Interception.MethodInvocationValidator.ThrowValidationError() in D:\Github\aspnetboilerplate\src\Abp\Runtime\Validation\Interception\MethodInvocationValidator.cs:line 128 at Abp.Runtime.Validation.Interception.MethodInvocationValidator.Validate() in D:\Github\aspnetboilerplate\src\Abp\Runtime\Validation\Interception\MethodInvocationValidator.cs:line 94 at Abp.Web.Mvc.Validation.AbpMvcValidationFilter.OnActionExecuting(ActionExecutingContext filterContext) in D:\Github\aspnetboilerplate\src\Abp.Web.Mvc\Web\Mvc\Validation\AbpMvcValidationFilter.cs:line 35 at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(Int32 filterIndex) at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(Int32 filterIndex)

Show the code for the parameter of UrlInsert.

```c#
[HttpPost]
public ActionResult UrlInsert(ClientDto value)
{
value.CreatorUserId = AbpSession.UserId;
value.CreationTime = DateTime.Now;

_clientAppService.Create(value);
var data = _clientAppService.GetAll();
return Json(data, JsonRequestBehavior.AllowGet);

}
```

Show the code for ClientDto.

c# [AutoMap(typeof(Client))] public class ClientDto : FullAuditedEntityDto<int> { [Required] [DisplayName("Client Name")] public string ClientName { get; set; } [DisplayName("Mix Contract")] public string MixContract { get; set; } [DisplayName("ID Nat")] public string IDNat { get; set; } [DisplayName("NRC")] public string NRC { get; set; } [DisplayName("Address")] public string Adress { get; set; } public string PostalBox { get; set; } }

Please format code like this:

```c#
// Your code
```

Does ClientName have a value?

yes it takes a value.

most of the colums take values

{"value":{"clientName":"test","mixContract":"test","idNat":"test","nrc":"test","adress":"tses","postalBox":"test","isDeleted":false,"deleterUserId":null,"deletionTime":null,"lastModificationTime":null,"lastModifierUserId":null,"creationTime":"2018-03-28T20:37:28.7554355+01:00","creatorUserId":null,"id":0}}

Is the error thrown before entering the method?

ServiceName MethodName
RechargeSystem.Web.Controllers.ClientsController UrlInsert

I wonder if this is not due to the Id having a 0 value ?

Hi I have found what is causing the issue,
the primary key field is supposed to be generated automatically. I get the HTTP 200 response when I fill that field too. I suspect that something is just rejecting the empty field.

@ktngoykalolo Is this resolved?

@acjh
The solution :
c# (function (send) { XMLHttpRequest.prototype.send = function (data) { this.setRequestHeader(abp.security.antiForgery.tokenHeaderName, abp.security.antiForgery.getToken()); return send.call(this, data); }; })(XMLHttpRequest.prototype.send);
worked for me, many thanks much appreciated