Mvc: RazorPage endpoints don't respect IgnoreAntiforgeryToken

Created on 28 Feb 2017  路  6Comments  路  Source: aspnet/Mvc

If you add "OnPost" to a PageModel (like this one) and decorate it with [IgnoreAntiforgeryToken] it will still attempt to validate Antiforgery.

bug feature-Razor-Pages
Source
picture ryanbrandenburg
👍1

Most helpful comment

@pranavkm Yes, it's works with Order > 1000, thanks.
Maybe need add it to docs of Razor Pages.

picture verysimplenick on 28 Sep 2017
👍3

All 6 comments

According to @rynowak having attributes on these handlers isn't going to be possible.

ryanbrandenburg picture ryanbrandenburg on 14 Mar 2017

@rynowak , @ryanbrandenburg
Okay, that I can do that simulate [IgnoreAntiforgeryToken] behaviour in razor pages?

verysimplenick picture verysimplenick on 28 Sep 2017

@verysimplenick you should be able to annotate your Page model with the attribute and it should work now.

pranavkm picture pranavkm on 28 Sep 2017

@pranavkm
yep, I already tried 

    [IgnoreAntiforgeryToken(Order = 1000)]
    public class OfferModel : PageModel

But it's not working.

verysimplenick picture verysimplenick on 28 Sep 2017

The validate antiforgery attribute that gets applied has an order of 1000 - https://github.com/aspnet/Mvc/blob/dev/src/Microsoft.AspNetCore.Mvc.ViewFeatures/AutoValidateAntiforgeryTokenAttribute.cs#L40 so you might need a higher Order for IgnoreAntiforgeryToken to become effective. Could you bump it up (to 1001)?

pranavkm picture pranavkm on 28 Sep 2017

@pranavkm Yes, it's works with Order > 1000, thanks.
Maybe need add it to docs of Razor Pages.

verysimplenick picture verysimplenick on 28 Sep 2017
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nefcanto picture nefcanto  路  3Comments
karthicksundararajan picture karthicksundararajan  路  4Comments
hikalkan picture hikalkan  路  4Comments
bugproof picture bugproof  路  3Comments
CzechsMix picture CzechsMix  路  3Comments