tags:

views:

182

answers:

1
+1  Q: 

Validation issue with ASP.NET MVC AntiForgeryToken

So I have an interesting problem... I'm required to get my webapp to pass through an IBM app scanning appliance before I can push my changes to production. My latest changes include the AntiForgeryToken in ASP.NET MVC. Every browser I've tested this on works just fine, no issues. But when the appliance tries to submit the form, it gets a validation error. Looking at the verification token, the appliance is doing an html encode on the form value on the post, so the strings don't match up... this is what they look like:

cmiuJRHizXLPvlu9zHKmTwdJiHvq+n87CSJZkixkf/BLHayCPVITJhRCsWWirPWg - pulled from the cookie cmiuJRHizXLPvlu9zHKmTwdJiHvq%2Bn87CSJZkixkf%2FBLHayCPVITJhRCsWWirPWg - form value

So it's translating + to %2B and / to %2F... has anyone seen this before? Is this an issue for client browsers? And is there have AntiForgeryToken generate a string that has no special characters so I can get my app through this scan? Thanks!

+1  A: 

Looking at the MVC code it appears that its using the RNGCryptoServiceProvider to create the token. Interestingly they have a method which replaces characters that are unsafe for cookie names (basically the "+" and "/" as you indicated in your question) but it is marked as private and I don't see where it gets used.

Unfortunately you cannot derive your own class from AntiForgeryData class because it is sealed. This is very sad because it was the obvious solution to your question.

You could possibly create a new attribute based on the MVC code and utilize the safety method yourself. It will violate DRY but I dont see a way around that since Microsoft sealed the class.

Sailing Judo  2010-01-07 19:21:20
Microsoft sealed a great number of classes in the MVC framework that probably should not have been. I always found that to be rather odd.
Nathan Taylor  2010-01-07 19:24:33
I'm tempted to just leave it... I haven't had an actual browser have issues with this yet, my guess is the ibm appliance is doing something goofy that's non-standard.
Arthurdent510  2010-01-07 19:32:45

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps