blocks|key|2831494|text|您错误地指定了application/json的contentType。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|2831495|这是一个如何工作的示例。|2831496|控制器：|2831497|public+class+HomeController+:+Controller
{
++++public+ActionResult+Index()
++++{
++++++++return+View();
++++}

++++[HttpPost]
++++[ValidateAntiForgeryToken]
++++public+ActionResult+Index(string+someValue)
++++{
++++++++return+Json(new+{+someValue+=+someValue+});
++++}
}|code-block|syntax|javascript|2831498|查看：|2831499|@using+(Html.BeginForm(null,+null,+FormMethod.Post,+new+{+id+=+"__AjaxAntiForgeryForm"+}))
{
++++@Html.AntiForgeryToken()
}

<div+id="myDiv"+data-url="@Url.Action("Index",+"Home")">
++++Click+me+to+send+an+AJAX+request+to+a+controller+action
++++decorated+with+the+[ValidateAntiForgeryToken]+attribute
</div>

<script+type="text/javascript">
++++$('#myDiv').submit(function+()+{
++++++++var+form+=+$('#__AjaxAntiForgeryForm');
++++++++var+token+=+$('input[name="__RequestVerificationToken"]',+form).val();
++++++++$.ajax({
++++++++++++url:+$(this).data('url'),
++++++++++++type:+'POST',
++++++++++++data:+{+
++++++++++++++++__RequestVerificationToken:+token,+
++++++++++++++++someValue:+'some+value'+
++++++++++++},
++++++++++++success:+function+(result)+{
++++++++++++++++alert(result.someValue);
++++++++++++}
++++++++});
++++++++return+false;
++++});
</script>|2831500|entityMap^0|7|G|O|B|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@$9|V|A|W|B|C]|$9|X|A|Y|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|Z|8|@]|D|@]|E|$]]|$1|H|3|I|5|6|7|10|8|@]|D|@]|E|$]]|$1|J|3|K|5|L|7|11|8|@]|D|@]|E|$M|N]]|$1|O|3|P|5|6|7|12|8|@]|D|@]|E|$]]|$1|Q|3|R|5|L|7|13|8|@]|D|@]|E|$M|N]]|$1|S|3|-4|5|6|7|14|8|@]|D|@]|E|$]]]|T|$]]

<p>You have incorrectly specified the <code>contentType</code> to <code>application/json</code>. </p>

<p>Here's an example of how this might work.</p>

<p>Controller:</p>

<pre><code>public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }

    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult Index(string someValue)
    {
        return Json(new { someValue = someValue });
    }
}
</code></pre>

<p>View:</p>

<pre><code>@using (Html.BeginForm(null, null, FormMethod.Post, new { id = "__AjaxAntiForgeryForm" }))
{
    @Html.AntiForgeryToken()
}

&lt;div id="myDiv" data-url="@Url.Action("Index", "Home")"&gt;
    Click me to send an AJAX request to a controller action
    decorated with the [ValidateAntiForgeryToken] attribute
&lt;/div&gt;

&lt;script type="text/javascript"&gt;
    $('#myDiv').submit(function () {
        var form = $('#__AjaxAntiForgeryForm');
        var token = $('input[name="__RequestVerificationToken"]', form).val();
        $.ajax({
            url: $(this).data('url'),
            type: 'POST',
            data: { 
                __RequestVerificationToken: token, 
                someValue: 'some value' 
            },
            success: function (result) {
                alert(result.someValue);
            }
        });
        return false;
    });
&lt;/script&gt;
</code></pre>


blocks|key|201221|text|我使用的另一种(更少javascriptish)方法是这样的：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|201222|首先，一个Html帮助程序|201223|public+static+MvcHtmlString+AntiForgeryTokenForAjaxPost(this+HtmlHelper+helper)
{
++++var+antiForgeryInputTag+=+helper.AntiForgeryToken().ToString();
++++//+Above+gets+the+following:+<input+name="__RequestVerificationToken"+type="hidden"+value="PnQE7R0MIBBAzC7SqtVvwrJpGbRvPgzWHo5dSyoSaZoabRjf9pCyzjujYBU_qKDJmwIOiPRDwBV1TNVdXFVgzAvN9_l2yt9-nf4Owif0qIDz7WRAmydVPIm6_pmJAI--wvvFQO7g0VvoFArFtAR2v6Ch1wmXCZ89v0-lNOGZLZc1"+/>
++++var+removedStart+=+antiForgeryInputTag.Replace(@"<input+name=""__RequestVerificationToken""+type=""hidden""+value=""",+"");
++++var+tokenValue+=+removedStart.Replace(@"""+/>",+"");
++++if+(antiForgeryInputTag+==+removedStart+%7C%7C+removedStart+==+tokenValue)
++++++++throw+new+InvalidOperationException("Oops!+The+Html.AntiForgeryToken()+method+seems+to+return+something+I+did+not+expect.");
++++return+new+MvcHtmlString(string.Format(@"{0}:""{1}""",+"__RequestVerificationToken",+tokenValue));
}|code-block|syntax|javascript|201224|它将返回一个字符串|201225|__RequestVerificationToken:"P5g2D8vRyE3aBn7qQKfVVVAsQc853s-naENvpUAPZLipuw0pa_ffBf9cINzFgIRPwsf7Ykjt46ttJy5ox5r3mzpqvmgNYdnKc1125jphQV0NnM5nGFtcXXqoY3RpusTH_WcHPzH4S4l1PmB8Uu7ubZBftqFdxCLC5n-xT0fHcAY1"|201226|所以我们可以这样使用它|201227|$(function+()+{
++++$("#submit-list").click(function+()+{
++++++++$.ajax({
++++++++++++url:+'@Url.Action("SortDataSourceLibraries")',
++++++++++++data:+{+items:+$(".sortable").sortable('toArray'),+@Html.AntiForgeryTokenForAjaxPost()+},
++++++++++++type:+'post',
++++++++++++traditional:+true
++++++++});
++++});
});|201228|而且它似乎起作用了！|201229|entityMap^0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|V|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|W|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|X|8|@]|9|@]|A|$]]|$1|K|3|L|5|F|7|Y|8|@]|9|@]|A|$G|H]]|$1|M|3|N|5|6|7|Z|8|@]|9|@]|A|$]]|$1|O|3|P|5|F|7|10|8|@]|9|@]|A|$G|H]]|$1|Q|3|R|5|6|7|11|8|@]|9|@]|A|$]]|$1|S|3|-4|5|6|7|12|8|@]|9|@]|A|$]]]|T|$]]

<p><strong>Another</strong> (less javascriptish) approach, that I did, goes something like this:</p>

<h2>First, an Html helper</h2>

<pre><code>public static MvcHtmlString AntiForgeryTokenForAjaxPost(this HtmlHelper helper)
{
    var antiForgeryInputTag = helper.AntiForgeryToken().ToString();
    // Above gets the following: &lt;input name="__RequestVerificationToken" type="hidden" value="PnQE7R0MIBBAzC7SqtVvwrJpGbRvPgzWHo5dSyoSaZoabRjf9pCyzjujYBU_qKDJmwIOiPRDwBV1TNVdXFVgzAvN9_l2yt9-nf4Owif0qIDz7WRAmydVPIm6_pmJAI--wvvFQO7g0VvoFArFtAR2v6Ch1wmXCZ89v0-lNOGZLZc1" /&gt;
    var removedStart = antiForgeryInputTag.Replace(@"&lt;input name=""__RequestVerificationToken"" type=""hidden"" value=""", "");
    var tokenValue = removedStart.Replace(@""" /&gt;", "");
    if (antiForgeryInputTag == removedStart || removedStart == tokenValue)
        throw new InvalidOperationException("Oops! The Html.AntiForgeryToken() method seems to return something I did not expect.");
    return new MvcHtmlString(string.Format(@"{0}:""{1}""", "__RequestVerificationToken", tokenValue));
}
</code></pre>

<h2>that will return a string</h2>

<pre><code>__RequestVerificationToken:"P5g2D8vRyE3aBn7qQKfVVVAsQc853s-naENvpUAPZLipuw0pa_ffBf9cINzFgIRPwsf7Ykjt46ttJy5ox5r3mzpqvmgNYdnKc1125jphQV0NnM5nGFtcXXqoY3RpusTH_WcHPzH4S4l1PmB8Uu7ubZBftqFdxCLC5n-xT0fHcAY1"
</code></pre>

<h2>so we can use it like this</h2>

<pre><code>$(function () {
    $("#submit-list").click(function () {
        $.ajax({
            url: '@Url.Action("SortDataSourceLibraries")',
            data: { items: $(".sortable").sortable('toArray'), @Html.AntiForgeryTokenForAjaxPost() },
            type: 'post',
            traditional: true
        });
    });
});
</code></pre>

<p>And it seems to work!</p>


blocks|key|2831540|text|我知道这是一个老问题。但我还是会加上我的答案，也许会对像我这样的人有所帮助。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2831541|如果您不想处理控制器的post操作的结果，比如调用Accounts控制器的LoggOff方法，您可以按照@DarinDimitrov的答案的以下版本进行处理：|offset|length|style|CODE|2831542|@using+(Html.BeginForm("LoggOff",+"Accounts",+FormMethod.Post,+new+{+id+=+"__AjaxAntiForgeryForm"+}))
{
++++@Html.AntiForgeryToken()
}


<a+href="#"+id="ajaxSubmit">Submit</a>

<script+type="text/javascript">
++++$('#ajaxSubmit').click(function+()+{

++++++++$('#__AjaxAntiForgeryForm').submit();

++++++++return+false;
++++});
</script>|code-block|syntax|javascript|2831543|entityMap^0|0|P|8|11|7|0|0^^$0|@$1|2|3|4|5|6|7|O|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|P|8|@$D|Q|E|R|F|G]|$D|S|E|T|F|G]]|9|@]|A|$]]|$1|H|3|I|5|J|7|U|8|@]|9|@]|A|$K|L]]|$1|M|3|-4|5|6|7|V|8|@]|9|@]|A|$]]]|N|$]]

<p>I know this is an old question. But I will add my answer anyway, might help someone like me. </p>

<p>If you dont want to process the result from the controller's post action, like calling the <code>LoggOff</code> method of <code>Accounts</code> controller, you could do as the following version of @DarinDimitrov 's answer:</p>

<pre><code>@using (Html.BeginForm("LoggOff", "Accounts", FormMethod.Post, new { id = "__AjaxAntiForgeryForm" }))
{
    @Html.AntiForgeryToken()
}

&lt;!-- this could be a button --&gt;
&lt;a href="#" id="ajaxSubmit"&gt;Submit&lt;/a&gt;

&lt;script type="text/javascript"&gt;
    $('#ajaxSubmit').click(function () {

        $('#__AjaxAntiForgeryForm').submit();

        return false;
    });
&lt;/script&gt;
</code></pre>


blocks|key|2831550|text|这太简单了！当您在html代码中使用@Html.AntiForgeryToken()时，这意味着服务器已经对此页面进行了签名，并且从此特定页面发送到服务器的每个请求都有一个标记，防止黑客发送虚假请求。因此，要让此页面通过服务器的身份验证，您应该经历两个步骤：|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|2831551|1.发送一个名为__RequestVerificationToken的参数，并使用以下代码获取其值：|2831552|<script+type="text/javascript">
++++function+gettoken()+{
++++++++var+token+=+'@Html.AntiForgeryToken()';
++++++++token+=+$(token).val();
++++++++return+token;
+++}
</script>|code-block|syntax|javascript|2831553|例如，以ajax调用为例|2831554|$.ajax({
++++type:+"POST",
++++url:+"/Account/Login",
++++data:+{
++++++++__RequestVerificationToken:+gettoken(),
++++++++uname:+uname,
++++++++pass:+pass
++++},
++++dataType:+'json',
++++contentType:+'application/x-www-form-urlencoded;+charset=utf-8',
++++success:+successFu,
});|2831555|第2步只需通过[ValidateAntiForgeryToken]修饰您的操作方法|2831556|entityMap^0|I|O|0|8|Q|0|0|0|0|7|Q|0^^$0|@$1|2|3|4|5|6|7|U|8|@$9|V|A|W|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|X|8|@$9|Y|A|Z|B|C]]|D|@]|E|$]]|$1|H|3|I|5|J|7|10|8|@]|D|@]|E|$K|L]]|$1|M|3|N|5|6|7|11|8|@]|D|@]|E|$]]|$1|O|3|P|5|J|7|12|8|@]|D|@]|E|$K|L]]|$1|Q|3|R|5|6|7|13|8|@$9|14|A|15|B|C]]|D|@]|E|$]]|$1|S|3|-4|5|6|7|16|8|@]|D|@]|E|$]]]|T|$]]

<p>it is so simple! when you use <code>@Html.AntiForgeryToken()</code> in your html code it means that server has signed this page and each request that is sent to server from this particular page has a sign that is prevented to send a fake request by hackers. so for this page to be authenticated by the server you should go through two steps:</p>

<p>1.send a parameter named <code>__RequestVerificationToken</code> and to gets its value use codes below:</p>

<pre><code>&lt;script type="text/javascript"&gt;
    function gettoken() {
        var token = '@Html.AntiForgeryToken()';
        token = $(token).val();
        return token;
   }
&lt;/script&gt;
</code></pre>

<p>for example take an ajax call</p>

<pre><code>$.ajax({
    type: "POST",
    url: "/Account/Login",
    data: {
        __RequestVerificationToken: gettoken(),
        uname: uname,
        pass: pass
    },
    dataType: 'json',
    contentType: 'application/x-www-form-urlencoded; charset=utf-8',
    success: successFu,
});
</code></pre>

<p>and step 2 just decorate your action method by <code>[ValidateAntiForgeryToken]</code></p>


blocks|key|201254|text|我尝试了很多变通方法，但没有一个对我有效。例外是“必需的防伪表单字段”__RequestVerificationToken。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|201255|帮我解决这个问题的是从.ajax切换到.post：|201256|$.post(
++++url,
++++$(formId).serialize(),
++++function+(data)+{
++++++++$(formId).html(data);
++++});|code-block|syntax|javascript|201257|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|L|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|M|8|@]|9|@]|A|$G|H]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

<p>I tried a lot of workarrounds and non of them worked for me. The exception was "The required anti-forgery form field "__RequestVerificationToken" . </p>

<p>What helped me out was to switch form .ajax to .post: </p>

<pre><code>$.post(
    url,
    $(formId).serialize(),
    function (data) {
        $(formId).html(data);
    });
</code></pre>


blocks|key|3044142|text|在Razor中，当你使用Asp.Net时，@Html.AntiForgeryToken()会创建一个名为__RequestVerificationToken的隐藏输入字段来存储令牌。如果您想要编写一个AJAX实现，您必须自己获取这个令牌，并将其作为参数传递给服务器，以便对其进行验证。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|3044143|步骤1:获取令牌|3044144|var+token+=+$('input[name="`__RequestVerificationToken`"]').val();|code-block|syntax|javascript|3044145|步骤2:在AJAX调用中传递令牌|3044146|function+registerStudent()+{

var+student+=+{+++++
++++"FirstName":+$('#fName').val(),
++++"LastName":+$('#lName').val(),
++++"Email":+$('#email').val(),
++++"Phone":+$('#phone').val(),
};

$.ajax({
++++url:+'/Student/RegisterStudent',
++++type:+'POST',
++++data:+{+
+++++__RequestVerificationToken:token,
+++++student:+student,
++++++++},
++++dataType:+'JSON',
++++contentType:'application/x-www-form-urlencoded;+charset=utf-8',
++++success:+function+(response)+{
++++++++if+(response.result+==+"Success")+{
++++++++++++alert('Student+Registered+Succesfully!')

++++++++}
++++},
++++error:+function+(x,h,r)+{
++++++++alert('Something+went+wrong')
++++++}
})
};|3044147|注意：：内容类型应为'application/x-www-form-urlencoded;+charset=utf-8'|BOLD|3044148|我已经把这个项目上传到了Github上，你可以下载并试用一下。|3044149|https://github.com/lambda2016/AjaxValidateAntiForgeryToken|3044150|entityMap|0|LINK|mutability|MUTABLE|url^0|L|O|1G|Q|0|0|0|0|0|0|3|A|1E|0|0|0|1M|0|0^^$0|@$1|2|3|4|5|6|7|14|8|@$9|15|A|16|B|C]|$9|17|A|18|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|19|8|@]|D|@]|E|$]]|$1|H|3|I|5|J|7|1A|8|@]|D|@]|E|$K|L]]|$1|M|3|N|5|6|7|1B|8|@]|D|@]|E|$]]|$1|O|3|P|5|J|7|1C|8|@]|D|@]|E|$K|L]]|$1|Q|3|R|5|6|7|1D|8|@$9|1E|A|1F|B|S]|$9|1G|A|1H|B|C]]|D|@]|E|$]]|$1|T|3|U|5|6|7|1I|8|@]|D|@]|E|$]]|$1|V|3|W|5|6|7|1J|8|@]|D|@$9|1K|A|1L|1|1M]]|E|$]]|$1|X|3|-4|5|6|7|1N|8|@]|D|@]|E|$]]]|Y|$Z|$5|10|11|12|E|$13|W]]]]

<p>In Asp.Net MVC when you use <code>@Html.AntiForgeryToken()</code> Razor creates a hidden input field with name <code>__RequestVerificationToken</code> to store tokens. If you want to write an AJAX implementation you have to fetch this token yourself and pass it as a parameter to the server so it can be validated.</p>

<p>Step 1: Get the token</p>

<pre><code>var token = $('input[name="`__RequestVerificationToken`"]').val();
</code></pre>

<p>Step 2: Pass the token in the AJAX call</p>

<pre><code>function registerStudent() {

var student = {     
    "FirstName": $('#fName').val(),
    "LastName": $('#lName').val(),
    "Email": $('#email').val(),
    "Phone": $('#phone').val(),
};

$.ajax({
    url: '/Student/RegisterStudent',
    type: 'POST',
    data: { 
     __RequestVerificationToken:token,
     student: student,
        },
    dataType: 'JSON',
    contentType:'application/x-www-form-urlencoded; charset=utf-8',
    success: function (response) {
        if (response.result == "Success") {
            alert('Student Registered Succesfully!')

        }
    },
    error: function (x,h,r) {
        alert('Something went wrong')
      }
})
};
</code></pre>

<p><strong>Note</strong>: The content type should be <code>'application/x-www-form-urlencoded; charset=utf-8'</code></p>

<p>I have uploaded the project on Github; you can download and try it.</p>

<p><a href="https://github.com/lambda2016/AjaxValidateAntiForgeryToken" rel="noreferrer">https://github.com/lambda2016/AjaxValidateAntiForgeryToken</a></p>


blocks|key|198243|text|请随意使用以下功能：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|198244|function+AjaxPostWithAntiForgeryToken(destinationUrl,+successCallback)+{
var+token+=+$('input[name="__RequestVerificationToken"]').val();
var+headers+=+{};
headers["__RequestVerificationToken"]+=+token;
$.ajax({
++++type:+"POST",
++++url:+destinationUrl,
++++data:+{+__RequestVerificationToken:+token+},+//+Your+other+data+will+go+here
++++dataType:+"json",
++++success:+function+(response)+{
++++++++successCallback(response);
++++},
++++error:+function+(xhr,+status,+error)+{
+++++++//+handle+failure
++++}
});|code-block|syntax|javascript|198245|}|198246|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|L|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|M|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

<p>Feel free to use the function below:</p>

<pre><code>function AjaxPostWithAntiForgeryToken(destinationUrl, successCallback) {
var token = $('input[name="__RequestVerificationToken"]').val();
var headers = {};
headers["__RequestVerificationToken"] = token;
$.ajax({
    type: "POST",
    url: destinationUrl,
    data: { __RequestVerificationToken: token }, // Your other data will go here
    dataType: "json",
    success: function (response) {
        successCallback(response);
    },
    error: function (xhr, status, error) {
       // handle failure
    }
});
</code></pre>

<p>}</p>


blocks|key|3044219|text|在Asp.Net核心中，您可以直接请求令牌as+documented|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|3044220|@inject+Microsoft.AspNetCore.Antiforgery.IAntiforgery+Xsrf++++
@functions{
++++public+string+GetAntiXsrfRequestToken()
++++{
++++++++return+Xsrf.GetAndStoreTokens(Context).RequestToken;
++++}
}|code-block|syntax|javascript|3044221|并在javascript中使用它：|3044222|function+DoSomething(id)+{
++++$.post("/something/todo/"%2Bid,
+++++++++++++++{+"__RequestVerificationToken":+'@GetAntiXsrfRequestToken()'+});
}|3044223|您可以添加推荐的全局过滤器as+documented|3044224|services.AddMvc(options+=>
{
++++options.Filters.Add(new+AutoValidateAntiforgeryTokenAttribute());
})|3044225|3044226|更新|style|BOLD|3044227|上面的解决方案在属于.cshtml一部分的脚本中工作。如果不是这样，那么你就不能直接使用它。我的解决方案是首先使用隐藏字段来存储值。|3044228|我的解决方法，仍然使用GetAntiXsrfRequestToken|CODE|3044229|当没有表单时：|3044230|<input+type="hidden"+id="RequestVerificationToken"+value="@GetAntiXsrfRequestToken()">|3044231|由于我使用的是id属性，因此可以省略name属性。|3044232|每个表单都包含此令牌。因此，您还可以通过name搜索现有字段，而不是在隐藏字段中添加相同令牌的另一个副本。请注意:一个文档中可以有多个表单，因此name在这种情况下不是唯一的。与id属性不同，它应该是唯一的。|3044233|在脚本中，按id查找：|3044234|function+DoSomething(id)+{
++++$.post("/something/todo/"%2Bid,
+++++++{+"__RequestVerificationToken":+$('#RequestVerificationToken').val()+});
}|3044235|3044236|另一种方法是使用脚本提交表单，而不必引用令牌。|3044237|示例表单：|3044238|<form+id="my_form"+action="/something/todo/create"+method="post">
</form>|3044239|令牌将作为隐藏字段自动添加到表单中：|3044240|<form+id="my_form"+action="/something/todo/create"+method="post">
<input+name="__RequestVerificationToken"+type="hidden"+value="Cf..."+/></form>|3044241|并在脚本中提交：|3044242|function+DoSomething()+{
++++$('#my_form').submit();
}|3044243|或者使用post方法：|3044244|function+DoSomething()+{
++++var+form+=+$('#my_form');

++++$.post("/something/todo/create",+form.serialize());
}|3044245|entityMap|0|LINK|mutability|MUTABLE|url|https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1#javascript|1|https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1#automatically-validate-antiforgery-tokens-for-unsafe-http-methods-only^0|L|D|0|0|0|0|0|D|D|1|0|0|0|0|2|0|0|B|N|0|0|0|7|2|I|4|0|K|4|20|4|2H|2|0|0|0|0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|25|8|@]|9|@$A|26|B|27|1|28]]|C|$]]|$1|D|3|E|5|F|7|29|8|@]|9|@]|C|$G|H]]|$1|I|3|J|5|6|7|2A|8|@]|9|@]|C|$]]|$1|K|3|L|5|F|7|2B|8|@]|9|@]|C|$G|H]]|$1|M|3|N|5|6|7|2C|8|@]|9|@$A|2D|B|2E|1|2F]]|C|$]]|$1|O|3|P|5|F|7|2G|8|@]|9|@]|C|$G|H]]|$1|Q|3|-4|5|6|7|2H|8|@]|9|@]|C|$]]|$1|R|3|S|5|6|7|2I|8|@$A|2J|B|2K|T|U]]|9|@]|C|$]]|$1|V|3|W|5|6|7|2L|8|@]|9|@]|C|$]]|$1|X|3|Y|5|6|7|2M|8|@$A|2N|B|2O|T|Z]]|9|@]|C|$]]|$1|10|3|11|5|6|7|2P|8|@]|9|@]|C|$]]|$1|12|3|13|5|F|7|2Q|8|@]|9|@]|C|$G|H]]|$1|14|3|15|5|6|7|2R|8|@$A|2S|B|2T|T|Z]|$A|2U|B|2V|T|Z]]|9|@]|C|$]]|$1|16|3|17|5|6|7|2W|8|@$A|2X|B|2Y|T|Z]|$A|2Z|B|30|T|Z]|$A|31|B|32|T|Z]]|9|@]|C|$]]|$1|18|3|19|5|6|7|33|8|@]|9|@]|C|$]]|$1|1A|3|1B|5|F|7|34|8|@]|9|@]|C|$G|H]]|$1|1C|3|-4|5|6|7|35|8|@]|9|@]|C|$]]|$1|1D|3|1E|5|6|7|36|8|@]|9|@]|C|$]]|$1|1F|3|1G|5|6|7|37|8|@]|9|@]|C|$]]|$1|1H|3|1I|5|F|7|38|8|@]|9|@]|C|$G|H]]|$1|1J|3|1K|5|6|7|39|8|@]|9|@]|C|$]]|$1|1L|3|1M|5|F|7|3A|8|@]|9|@]|C|$G|H]]|$1|1N|3|1O|5|6|7|3B|8|@]|9|@]|C|$]]|$1|1P|3|1Q|5|F|7|3C|8|@]|9|@]|C|$G|H]]|$1|1R|3|1S|5|6|7|3D|8|@]|9|@]|C|$]]|$1|1T|3|1U|5|F|7|3E|8|@]|9|@]|C|$G|H]]|$1|1V|3|-4|5|6|7|3F|8|@]|9|@]|C|$]]]|1W|$1X|$5|1Y|1Z|20|C|$21|22]]|23|$5|1Y|1Z|20|C|$21|24]]]]

<p>In Asp.Net Core you can request the token directly, <a href="https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1#javascript" rel="nofollow noreferrer">as documented</a>:</p>

<pre><code>@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf    
@functions{
    public string GetAntiXsrfRequestToken()
    {
        return Xsrf.GetAndStoreTokens(Context).RequestToken;
    }
}
</code></pre>

<p>And use it in javascript:</p>

<pre><code>function DoSomething(id) {
    $.post("/something/todo/"+id,
               { "__RequestVerificationToken": '@GetAntiXsrfRequestToken()' });
}
</code></pre>

<p>You can add the recommended global filter, <a href="https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1#automatically-validate-antiforgery-tokens-for-unsafe-http-methods-only" rel="nofollow noreferrer">as documented</a>:</p>

<pre><code>services.AddMvc(options =&gt;
{
    options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
})
</code></pre>

<hr>

<p><strong>Update</strong></p>

<p>The above solution works in scripts that are part of the .cshtml. If this is not the case then you can't use this directly. My solution was to use a hidden field to store the value first.</p>

<p>My workaround, still using <code>GetAntiXsrfRequestToken</code>:</p>

<p>When there is no form:</p>

<pre><code>&lt;input type="hidden" id="RequestVerificationToken" value="@GetAntiXsrfRequestToken()"&gt;
</code></pre>

<p>The <code>name</code> attribute can be omitted since I use the <code>id</code> attribute.</p>

<p><em>Each form</em> includes this token. So instead of adding yet another copy of the same token in a hidden field, you can also search for an existing field by <code>name</code>. Please note: there can be multiple forms inside a document, so <code>name</code> is in that case not unique. Unlike an <code>id</code> attribute that <em>should</em> be unique.</p>

<p>In the script, find by id:</p>

<pre><code>function DoSomething(id) {
    $.post("/something/todo/"+id,
       { "__RequestVerificationToken": $('#RequestVerificationToken').val() });
}
</code></pre>

<hr>

<p>An alternative, without having to reference the token, is to submit the form with script.</p>

<p>Sample form:</p>

<pre><code>&lt;form id="my_form" action="/something/todo/create" method="post"&gt;
&lt;/form&gt;
</code></pre>

<p>The token is automatically added to the form as a hidden field:</p>

<pre><code>&lt;form id="my_form" action="/something/todo/create" method="post"&gt;
&lt;input name="__RequestVerificationToken" type="hidden" value="Cf..." /&gt;&lt;/form&gt;
</code></pre>

<p>And submit in the script:</p>

<pre><code>function DoSomething() {
    $('#my_form').submit();
}
</code></pre>

<p>Or using a post method:</p>

<pre><code>function DoSomething() {
    var form = $('#my_form');

    $.post("/something/todo/create", form.serialize());
}
</code></pre>


blocks|key|3044267|text|在帐户控制器中：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3044268|++++//+POST:+/Account/SendVerificationCodeSMS
++++[HttpPost]
++++[AllowAnonymous]
++++[ValidateAntiForgeryToken]
++++public+JsonResult+SendVerificationCodeSMS(string+PhoneNumber)
++++{
++++++++return+Json(PhoneNumber);
++++}|code-block|syntax|javascript|3044269|在视图中：|3044270|$.ajax(
{
++++url:+"/Account/SendVerificationCodeSMS",
++++method:+"POST",
++++contentType:+'application/x-www-form-urlencoded;+charset=utf-8',
++++dataType:+"json",
++++data:+{
++++++++PhoneNumber:+$('[name="PhoneNumber"]').val(),
++++++++__RequestVerificationToken:+$('[name="__RequestVerificationToken"]').val()
++++},
++++success:+function+(data,+textStatus,+jqXHR)+{
++++++++if+(textStatus+==+"success")+{
++++++++++++alert(data);
++++++++++++//+Do+something+on+page
++++++++}
++++++++else+{
++++++++++++//+Do+something+on+page
++++++++}
++++},
++++error:+function+(jqXHR,+textStatus,+errorThrown)+{
++++++++console.log(textStatus);
++++++++console.log(jqXHR.status);
++++++++console.log(jqXHR.statusText);
++++++++console.log(jqXHR.responseText);
++++}
});|3044271|将contentType设置为'application/x-www-form-urlencoded;+charset=utf-8'或直接从对象中忽略contentType是很重要的……|offset|length|style|CODE|3044272|entityMap^0|0|0|0|0|1|B|F|1E|22|B|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|T|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|U|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|V|8|@]|9|@]|A|$E|F]]|$1|K|3|L|5|6|7|W|8|@$M|X|N|Y|O|P]|$M|Z|N|10|O|P]|$M|11|N|12|O|P]]|9|@]|A|$]]|$1|Q|3|-4|5|6|7|13|8|@]|9|@]|A|$]]]|R|$]]

<p>In Account controller:</p>

<pre><code>    // POST: /Account/SendVerificationCodeSMS
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public JsonResult SendVerificationCodeSMS(string PhoneNumber)
    {
        return Json(PhoneNumber);
    }
</code></pre>

<p>In View:</p>

<pre><code>$.ajax(
{
    url: "/Account/SendVerificationCodeSMS",
    method: "POST",
    contentType: 'application/x-www-form-urlencoded; charset=utf-8',
    dataType: "json",
    data: {
        PhoneNumber: $('[name="PhoneNumber"]').val(),
        __RequestVerificationToken: $('[name="__RequestVerificationToken"]').val()
    },
    success: function (data, textStatus, jqXHR) {
        if (textStatus == "success") {
            alert(data);
            // Do something on page
        }
        else {
            // Do something on page
        }
    },
    error: function (jqXHR, textStatus, errorThrown) {
        console.log(textStatus);
        console.log(jqXHR.status);
        console.log(jqXHR.statusText);
        console.log(jqXHR.responseText);
    }
});
</code></pre>

<p>It is important to set <code>contentType</code> to <code>'application/x-www-form-urlencoded; charset=utf-8'</code> or just omit <code>contentType</code>from the object ...</p>


blocks|key|201311|text|如果令牌由不同的控制器提供，则令牌将不起作用。例如，如果视图是由Accounts控制器返回的，那么它将不起作用，但是您可以POST到Clients控制器。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|201312|entityMap^0|W|8|1P|4|1U|7|0^^$0|@$1|2|3|4|5|6|7|H|8|@$9|I|A|J|B|C]|$9|K|A|L|B|C]|$9|M|A|N|B|C]]|D|@]|E|$]]|$1|F|3|-4|5|6|7|O|8|@]|D|@]|E|$]]]|G|$]]

<p>The token won't work if it was supplied by a different controller.  E.g. it won't work if the view was returned by the <code>Accounts</code> controller, but you <code>POST</code> to the <code>Clients</code> controller.</p>


blocks|key|2831742|text|创建一个负责添加令牌的方法|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2831743|var+addAntiForgeryToken+=+function+(data)+{
++++data.__RequestVerificationToken+=+$("[name='__RequestVerificationToken']").val();
++++return+data;
};|code-block|syntax|javascript|2831744|现在，在将数据/参数传递给Action时使用此方法，如下所示|2831745|+var+Query+=+$("#Query").val();
++++++++$.ajax({
++++++++++++url:+'@Url.Action("GetData",+"DataCheck")',
++++++++++++type:+"POST",
++++++++++++data:+addAntiForgeryToken({+Query:+Query+}),
++++++++++++dataType:+'JSON',
++++++++++++success:+function+(data)+{
++++++++++++if+(data.message+==+"Success")+{
++++++++++++$('#itemtable').html(data.List);
++++++++++++return+false;
++++++++++++}
++++++++++++},
++++++++++++error:+function+(xhr)+{
++++++++++++$.notify({
++++++++++++message:+'Error',
++++++++++++status:+'danger',
++++++++++++pos:+'bottom-right'
++++++++++++});
++++++++++++}
++++++++++++});|2831746|在这里，我的Action只有一个string类型的参数|2831747|++++[HttpPost]
++++[ValidateAntiForgeryToken]
++++public+JsonResult+GetData(+string+Query)
++++{|2831748|entityMap^0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|R|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|S|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|T|8|@]|9|@]|A|$E|F]]|$1|K|3|L|5|6|7|U|8|@]|9|@]|A|$]]|$1|M|3|N|5|D|7|V|8|@]|9|@]|A|$E|F]]|$1|O|3|-4|5|6|7|W|8|@]|9|@]|A|$]]]|P|$]]

<p>Create a method that will responsible to add token</p>
<pre><code>var addAntiForgeryToken = function (data) {
    data.__RequestVerificationToken = $(&quot;[name='__RequestVerificationToken']&quot;).val();
    return data;
};
</code></pre>
<p>Now use this method while passing data/parameters to Action like below</p>
<pre><code> var Query = $(&quot;#Query&quot;).val();
        $.ajax({
            url: '@Url.Action(&quot;GetData&quot;, &quot;DataCheck&quot;)',
            type: &quot;POST&quot;,
            data: addAntiForgeryToken({ Query: Query }),
            dataType: 'JSON',
            success: function (data) {
            if (data.message == &quot;Success&quot;) {
            $('#itemtable').html(data.List);
            return false;
            }
            },
            error: function (xhr) {
            $.notify({
            message: 'Error',
            status: 'danger',
            pos: 'bottom-right'
            });
            }
            });
</code></pre>
<p>Here my Action have a single parameter of string type</p>
<pre><code>    [HttpPost]
    [ValidateAntiForgeryToken]
    public JsonResult GetData( string Query)
    {
</code></pre>


blocks|key|3044293|text|+@using+(Ajax.BeginForm("SendInvitation",+"Profile",
++++++++new+AjaxOptions+{+HttpMethod+=+"POST",+OnSuccess+=+"SendInvitationFn"+},
++++++++new+{+@class+=+"form-horizontal",+id+=+"invitation-form"+}))
++++{
++++++++@Html.AntiForgeryToken()
++++++++<span+class="red"+id="invitation-result">@Html.ValidationSummary()</span>

++++++++<div+class="modal-body">
++++++++++++<div+class="row-fluid+marg-b-15">
++++++++++++++++<label+class="block">++++++++++++++++++++++++
++++++++++++++++</label>
++++++++++++++++<input+type="text"+id="EmailTo"+name="EmailTo"+placeholder="forExample@gmail.com"+value=""+/>
++++++++++++</div>
++++++++</div>

++++++++<div+class="modal-footer+right">
++++++++++++<div+class="row-fluid">
++++++++++++++++<button+type="submit"+class="btn+btn-changepass-new">send</button>
++++++++++++</div>
++++++++</div>
++++}|type|code-block|depth|inlineStyleRanges|entityRanges|data|syntax|javascript|3044294|unstyled|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|G|8|@]|9|@]|A|$B|C]]|$1|D|3|-4|5|E|7|H|8|@]|9|@]|A|$]]]|F|$]]

<pre><code> @using (Ajax.BeginForm(&quot;SendInvitation&quot;, &quot;Profile&quot;,
        new AjaxOptions { HttpMethod = &quot;POST&quot;, OnSuccess = &quot;SendInvitationFn&quot; },
        new { @class = &quot;form-horizontal&quot;, id = &quot;invitation-form&quot; }))
    {
        @Html.AntiForgeryToken()
        &lt;span class=&quot;red&quot; id=&quot;invitation-result&quot;&gt;@Html.ValidationSummary()&lt;/span&gt;

        &lt;div class=&quot;modal-body&quot;&gt;
            &lt;div class=&quot;row-fluid marg-b-15&quot;&gt;
                &lt;label class=&quot;block&quot;&gt;                        
                &lt;/label&gt;
                &lt;input type=&quot;text&quot; id=&quot;EmailTo&quot; name=&quot;EmailTo&quot; placeholder=&quot;forExample@gmail.com&quot; value=&quot;&quot; /&gt;
            &lt;/div&gt;
        &lt;/div&gt;

        &lt;div class=&quot;modal-footer right&quot;&gt;
            &lt;div class=&quot;row-fluid&quot;&gt;
                &lt;button type=&quot;submit&quot; class=&quot;btn btn-changepass-new&quot;&gt;send&lt;/button&gt;
            &lt;/div&gt;
        &lt;/div&gt;
    }
</code></pre>


<p>I am having trouble with the AntiForgeryToken with ajax. I'm using ASP.NET MVC 3. I tried the solution in <a href="https://stackoverflow.com/questions/4074199/jquery-ajax-calls-and-the-html-antiforgerytoken">jQuery Ajax calls and the Html.AntiForgeryToken()</a>. Using that solution, the token is now being passed:</p>

<pre><code>var data = { ... } // with token, key is '__RequestVerificationToken'

$.ajax({
        type: "POST",
        data: data,
        datatype: "json",
        traditional: true,
        contentType: "application/json; charset=utf-8",
        url: myURL,
        success: function (response) {
            ...
        },
        error: function (response) {
            ...
        }
    });
</code></pre>

<p>When I remove the <code>[ValidateAntiForgeryToken]</code> attribute just to see if the data (with the token) is being passed as parameters to the controller, I can see that they are being passed. But for some reason, the <code>A required anti-forgery token was not supplied or was invalid.</code> message still pops up when I put the attribute back.</p>

<p>Any ideas?</p>

<p><strong>EDIT</strong></p>

<p>The antiforgerytoken is being generated inside a form, but I'm not using a submit action to submit it. Instead, I'm just getting the token's value using jquery and then trying to ajax post that.</p>

<p>Here is the form that contains the token, and is located at the top master page:</p>

<pre><code>&lt;form id="__AjaxAntiForgeryForm" action="#" method="post"&gt;
    @Html.AntiForgeryToken()
&lt;/form&gt;
</code></pre>


include antiforgerytoken in ajax post ASP.NET MVC

身份验证

服务器

JSON

我在使用ajax的AntiForgeryToken时遇到了问题。我使用的是ASP.NET MVC3，我在中尝试过这个解决方案。使用该解决方案，现在可以传递令牌：var data = { ... } // with token, key is '__RequestVerificationToken'$.ajax({   ...

问在ajax post ASP.NET MVC中包含反伪造令牌
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在ajax post ASP.NET MVC中包含反伪造令牌EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在ajax post ASP.NET MVC中包含反伪造令牌
EN