Current filter:
                                You should refresh the page.
                                  • Description:
                                    How to use AntiForgeryToken during DevExpress callbacks
                                    See Also:
                                    ValidateAntiForgeryToken purpose, explanation and example
                                    Preventing Cross-Site Request Forgery (CSRF) Attacks in ASP.NET Web API

                                    DevExpress MVC callback-aware Extensions use the jQuery.ajax (POST) plugin for performing callbacks.
                                    By default, these requests only contain data required for the extensions. In order to pass custom data (such as AntiForgeryToken), perform the following steps:
                                    The AntiForgeryToken can be rendered via any of the following ways:
                                    - Inside a form:

                                    @using(Html.BeginForm()) { @Html.AntiForgeryToken() ... }

                                    - Inside a DevExpress MVC Extension (as a part of some container):

                                    @Html.DevExpress().CallbackPanel(settings => { settings.SetContent(() => { ViewContext.Writer.Write(Html.AntiForgeryToken().ToHtmlString()); }); ... }).GetHtml()

                                    - Use the technique described in the Include AntiForgeryToken in ajax post ASP.NET MVC thread to retrieve the AntiForgeryToken value within the specified container;
                                    - Use the Passing Values to Controller Action Through Callbacks technique to pass the retrieved value as custom data through a callback invoked by a DevExpress MVC callback-aware Extension.

                                    The linked E5112 - How to use AntiForgeryToken during DevExpress callbacks example illustrates this technique in action.

                                    Note that starting with version v2015 vol 1 (15.1), our callback-aware extensions automatically collect values of nested input elements and send them through a callback.
                                    So, it is NO longer necessary to pass RequestVerificationToken as custom request data by handling the client-side BeginCallback event if AntiForgeryToken is rendered within extensions boundaries (for example, as a part of any template, etc.).

                                    In order to use the AntiForgeryToken with GridView CRUD operations, it is required to place the token in the GridView in the command column header, for example. See the following code:

                                    settings.CommandColumn.SetHeaderCaptionTemplateContent(c => { ViewContext.Writer.Write(Html.AntiForgeryToken().ToHtmlString()); ViewContext.Writer.Write("#"); });

                                    Then, pass the token value to the controller using the approach shown above and validate the token in corresponding actions:

                                    [ValidateAntiForgeryToken] public ActionResult GridViewAddNewPartial(Product product) { ... } [ValidateAntiForgeryToken] public ActionResult GridViewUpdatePartial(Product product) { ... } [ValidateAntiForgeryToken] public ActionResult GridViewDeletePartial(int productID) { ... }

                                    See the T292767 - How to use AntiForgeryToken with GridView CRUD operations example for details.

                                0 Solutions

                                Creation Date Importance Sort by