0

I am working on a Blazor Server project, and I am doing a POST using HttpClient.PostAsJsonAsync in a Razor page. The anti forgery request token seems to have some difficulties. When I put the directive [ValidateAntiForgeryToken] with the Post action, it fails with a 400 Bad Request. I’m getting a 200 Success when the directive is not present.

This is not consistent with the documentation I’ve read on .net core. See the following URL

It contains the following statement:

Razor Pages are automatically protected from XSRF/CSRF. For more information, see XSRF/CSRF and Razor Pages.

Why is the post failing with [ValidateAntiForgeryToken]? I appreciate any words of wisdom on this.

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29
Roland Wales
  • 73
  • 1
  • 7
  • did you try to catch the requests to see the differences between them? – Tiny Wang Sep 13 '22 at 03:13
  • I'm sorry that I can't understand your requirement well but I think the answers in [this question](https://stackoverflow.com/questions/13621934/validateantiforgerytoken-purpose-explanation-and-example) may help you. – Tiny Wang Sep 13 '22 at 05:18
  • The differences: with [ValidateAntiForgeryToken] 400 Bad Request. With it: 200 OK. Apparently .net core is not doing anti forgery token processing using HttpClient.PostAsJsonAsync – Roland Wales Sep 13 '22 at 12:06
  • `[ValidateAntiForgeryToken]` I also met an issue related to this attribute yesterday, that's because when we followed the tutorial to realize a form submit in razor pages then the controller action had this attribute will make the request worked. But if I send the post request with Jquery ajax, then it will failed. I'm afraid that form submit will send the model to controller but ajax will send a normal form object. – Tiny Wang Sep 14 '22 at 02:11
  • 1
    Why are you making an HTTP request in a Blazor Server application? Are you trying to connect to another app? XRSF/CSRF concerns do not apply to in a standard Blazor server paradigm. – Mayur Ekbote Sep 14 '22 at 06:19
  • Mayor, thank you for the comment. I'd love to see an example of Blazor Server without HTTP. I've been using the Microsoft Blazing Pizza tutorial and they use HTTP to read and write from the database. I've seen writes and reads to classes that store data in memory in Blazing Pizza, but not ones that require injection of a database context. – Roland Wales Sep 14 '22 at 17:42
  • You can just inject the db context into your pages or services. The very same thing that is done in the controller in your blazing pizza tutorial - you do that same thing. You don't need controllers here unless you intend to provide a public facing web api in your server project. – topsail Sep 15 '22 at 12:56
  • Just as a note, I think the documentation when it says "Razor Pages are automatically protected from XSRF/CSRF. For more information, see XSRF/CSRF and Razor Pages." this means you don't need to do anything - you are automatically protected. So you don't need to use this attribute. – topsail Sep 15 '22 at 12:58

0 Answers0