Is it possible to use the ValidateAntiForgeryToken attribute on a controller action when the request comes from Ajax.ActionLink (using Http Method Post?). The alternative appears to be to hand roll a JQuery Ajax request but I am curious if there is a way within the MVC Ajax framework.
A:
I haven't seen a baked-in way. You have to get the token into the data that goes up in the POST. The antiforgery token's ID (or name, I can't remember) is the same each time, but you have to be real careful, and make sure that the anti forget token you are using is the most recent one rendered to the client, which can get tricky in an AJAX app.
Josh Pearce
2009-11-23 23:27:53
I'm going to mark this as correct - with one caveat. The anti-forgery token is unique to the session not to request. I found that issuing multiple ajax posts with the same anti-forgery token to be successful.My solution was to use a JQuery post call using a method to extract the anti-forgery token from the form. I also found that on a page with multiple forms (and thus multiple unique anti-forgery tokens) I could submit with any one of the available anti-forgery tokens - it didn't seem to matter.
Michael Gattuso
2009-11-27 15:29:54
Thanks for the heads up. I do not use Session, so I believe that is why I experienced a different Token on each request.
Josh Pearce
2009-11-27 17:04:15