Protip: Using Anti-Forgery Token with ASP.NET Web API on MVC 4 on AppHarbor
I just ran into and solved this problem so I thought I'd share (I'll also be talking about this at my upcoming talk).
Anti-Forgery in MVC
In vanilla MVC, you'd do anti-forgery like this in your Razor view:
@Html.AntiForgeryToken()
Then in a controller (POST):
[ValidateAntiForgeryToken]
public ActionResult DoSomething() { }
Cool. But what about Web API? It uses a totally different pipeline and likely you're interacting with it via JQuery or other AJAX framework.
ValidateHttpAntiForgeryToken
Here are some references I used when trying to implement Anti-Forgery with Web API:
- Problems implementing ValidatingAntiForgeryToken attribute for Web API with MVC 4 RC
- Web API and ValidateAntiForgeryToken
- Preventing Cross-Site Request Forgery (CSRF) Attacks
- MVC 4 SPA template
Here's the rub: the two SO posts above implement this quite differently than the MVC 4 SPA template and the last article referenced. Both approaches actually worked locally for me, but both failed once I deployed to AppHarbor.
The long and short of it is that I was using the HTTP header __RequestVerificationToken. This is a no-no and I'm sort of the dumb one here in that I should know not to use custom headers like that.
My friends, the proper way is to use the X-* convention, so the HTTP header in your AJAX requests become X-XSRF-Token instead.
Apparently, AppHarbor was stripping off the other header on AJAX POST. I was receiving an error about the given header could not be found.
The working solution is below:
The machineKey thing is also key to remember on a cloud host/web farm environment.
I hope that helps somebody out there.
Aside
In the last article referenced, the AntiForgery.GetTokens() didn't work for me on AH. I kept getting the error:
System.Web.Mvc.HttpAntiForgeryException (0x80004005): The required anti-forgery cookie "__RequestVerificationToken" is not present.
I didn't get far enough to see what actual cookies were present because I switched to the other method outlined in the two SO posts. I just thought you should know that it just didn't work. I believe it's because GetTokens does not create a new cookie if the cookieToken has a value where as using @Html.AntiForgeryToken() does. The source code makes that clear in the comments. Why it worked locally I have no idea and at this point, don't care!
