POST-ing to an ASP.NET MVC form with an anti-forgery token

I've had some issues trying to write an acceptance test that was registering a new user by POST-ing the required information to a MVC site and I got back these messages:

  • The required anti-forgery cookie "__RequestVerificationToken" is not present.
  • The required anti-forgery form field "__RequestVerificationToken" is not present.
  • Validation of the provided anti-forgery token failed. The cookie "_RequestVerificationToken" and the form field "_RequestVerificationToken" were swapped.

Since it took me a bit of fiddling with the code before I managed to make it work, I thought I'd share the solution. The site is an ASP.NET MVC version 5 and I am trying to register a new user (POST-ing to the /Account/Register URL). The main issue you will encounter is having to extract two anti-forgery tokens, one from the cookies and one from the form, and then sending both of them in the appropriate places (cookies vs form field).

I have used LinqPad 5 with a reference to the HtmlAgilityPack NuGet package (to simplify extracting the needed information from the GET form). This is the code:

void Main()
{
  Cookie[] cookies;
  var html = Get("Account/Register", out cookies);
  var root = Parse(html);
  var formToken = GetFormToken(root);
  var cookieToken = GetCookieToken(cookies);
  
  var unique = Guid.NewGuid().ToString("N");
  
  Post("Account/Register", new
    {
      Email = unique + "@example.com",
      User = unique,
      Password = unique,
      ConfirmPassword = unique,
    },
      formToken, cookieToken);
}

  private const string BASE_URL = "http://localhost:5972"; // replace as needed  
  private const string TOKEN_NAME = "__RequestVerificationToken";
  
  private static string Get(string url, out Cookie[] responseCookies)
  {
    using (var web = new CookieAwareWebClient())
    {
      var result = web.DownloadString(BASE_URL + "/" + url);
      responseCookies = web.ResponseCookies.Cast<Cookie>().ToArray();

      return result;
    }
  }

  private static string Post(string url, object body, string formToken = null, string cookieToken = null)
  {
    using (var web = new WebClient())
    {
      var data = GetPostData(body);

      web.Headers["Content-Type"] = "application/x-www-form-urlencoded";
      if (formToken != null)
        data += "&" + TOKEN_NAME + "=" + formToken;
      if (cookieToken != null)
        web.Headers.Add(HttpRequestHeader.Cookie, TOKEN_NAME + "=" + cookieToken);

      return web.UploadString(BASE_URL + "/" + url, data);
    }
  }

  private static string GetPostData(object obj)
  {
    var kv = obj
      .GetType()
      .GetProperties(BindingFlags.Instance | BindingFlags.Public)
      .Select(prop => prop.Name + "=" + WebUtility.UrlEncode(prop.GetValue(obj) + ""))
      .ToArray();
    return string.Join("&", kv);
  }

  private static HtmlNode Parse(string html)
  {
    var doc = new HtmlDocument();
    doc.LoadHtml(html);
    return doc.DocumentNode;
  }

  private static string GetFormToken(HtmlNode root)
  {
    var formToken = root.SelectSingleNode("//*[@name='" + TOKEN_NAME + "']");
    return formToken.GetAttributeValue("value", null);
  }

  private static string GetCookieToken(IEnumerable<Cookie> cookies)
  {
    return cookies
      .Where(it => it.Name == TOKEN_NAME)
      .First()
      .Value;
  }

  // from http://stackoverflow.com/a/29479390
  public class CookieAwareWebClient : WebClient
  {
    public CookieContainer CookieContainer { get; }
    public CookieCollection ResponseCookies { get; set; }

    public CookieAwareWebClient()
    {
      CookieContainer = new CookieContainer();
      ResponseCookies = new CookieCollection();
    }

    protected override WebRequest GetWebRequest(Uri address)
    {
      var request = (HttpWebRequest) base.GetWebRequest(address);
      // ReSharper disable once PossibleNullReferenceException
      request.CookieContainer = CookieContainer;
      return request;
    }

    protected override WebResponse GetWebResponse(WebRequest request)
    {
      var response = (HttpWebResponse) base.GetWebResponse(request);
      // ReSharper disable once PossibleNullReferenceException
      ResponseCookies = response.Cookies;
      return response;
    }
  }

Hope this helps someone.

Comments

Post a Comment

Popular posts from this blog

Posting dynamic Master / Detail forms with Knockout

Image
I have the following dynamic form in my GitHub Inventory project : I created the form with KnockoutJS , using some ideas from this article . The detail view looks like this: <table id="acquisition_items" class="jtable"> <thead> <tr> <th>Product Name</th> <th>Quantity</th> <th>Price</th> <th>Value</th> <th><button data-bind="click: addItem">[+]</button></th> </tr> </thead> <tbody data-bind="foreach: items"> <tr> <td> <input data-bind="value: ProductName" type="text" value="" /> </td> <td> <input data-bind="value: Quantity" type="text" value="" /> </td> <td> ...
Read more

Comparing Excel files, take two

Image
I already wrote this project once, on GitHub , but I can't say that I like the result. I wrote that code without TDD, mostly to see if I can still work in the "normal" fashion. I can, but I had a bug that took me a while to even discover and then was difficult to write tests for. I also hate the temporal dependency in that design (if you don't call the SortBy method first, the ExcludeRecords method will return incorrect results). Anyway; here's attempt number two, writing that code using TDD. Structure I start by creating my usual structure for projects of this type - a library for the logic, a console application for the main program and a test project for tests. I also use the Enable NuGet Package Restore option (right-click on the solution node) to add the three NuGet files that will allow someone to automatically download all the packages I'm referencing without wasting space in the source code repository. (Right now I've only added the Moq pa...
Read more