0
votes

I know (well, strongly suspect) that this is because the AntiRequestForgery token is invalid.

I'm making two requests using Fiddler. The first returns a page with a form:

GET http://localhost:5000/ HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: en-GB,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
Accept-Encoding: gzip, deflate
Host: localhost:5000
Connection: Keep-Alive
Cookie: Webstorm-c18bf75a=81231d9f-edfd-4dbe-bb5a-f6a38d7df3c8; Webstorm-e6130ebb=b043c250-7e3b-44e1-ae53-2a1fd1e938ad; ai_user=a5B0s|2018-04-18T10:45:08.497Z; Webstorm-4df43b9a=25c25d80-7f4a-4ecf-8b74-a84698ccdfbe; .AspNetCore.Antiforgery.eVFzQSsi0_I=CfDJ8ERJiHn9THRElV--1wHd1Ro9Jv2DKwgMTQr1VCL4I-TphhEyTEiHsVS0z8K-Jyz_6VMNQETIEk3Yi5czv3rgMAwzmG76UrsB078j5oPJ8m6esxBQ8zLH9OEpeXqMDu570wRLkCSEQPyTIakVibTOmEM
HTTP/1.1 200 OK
Date: Sun, 25 Nov 2018 14:44:15 GMT
Content-Type: text/html; charset=utf-8
Server: Kestrel
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 697

<!DOCTYPE html>

<html>
<head>
    <meta name="viewport" content="width=device-width" />
    <title>Index</title>
</head>
<body>
<article>
    <section>
        <h1>Index</h1>
    </section>
    <section>

<form method="post" action="/Echo">
    <p><label for="message">Enter message:  </label><input type="text" name="message" id="message"/></p>
    <p><input type="submit" value="Submit"/></p>
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8ERJiHn9THRElV--1wHd1Rp9WyK4QCn6-wcGhXPDZHOFgkcjhJEBGrYgrsoDN3ETiqDId6aMvaHxmtunVp8ioxWYWAMqVqp3HU4ErpY7_lUzw1monlv7AMPY_Q2mzcP1YijG-86DgSeJXaXnpCWNl4c" /></form>
    </section>
</article>
</body>
</html>

I can see the embedded token, I'm wanting to send the post as JSON instead of url encoded. The second request I'm sending is this:

POST http://localhost:5000/Echo HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: http://localhost:5000/
Accept-Language: en-GB,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
Content-Type: application/json
Accept-Encoding: gzip, deflate
Content-Length: 229
Host: localhost:5000
Connection: Keep-Alive
Pragma: no-cache
Cookie: Webstorm-c18bf75a=81231d9f-edfd-4dbe-bb5a-f6a38d7df3c8; Webstorm-e6130ebb=b043c250-7e3b-44e1-ae53-2a1fd1e938ad; ai_user=a5B0s|2018-04-18T10:45:08.497Z; Webstorm-4df43b9a=25c25d80-7f4a-4ecf-8b74-a84698ccdfbe; .AspNetCore.Antiforgery.eVFzQSsi0_I=CfDJ8ERJiHn9THRElV--1wHd1Ro9Jv2DKwgMTQr1VCL4I-TphhEyTEiHsVS0z8K-Jyz_6VMNQETIEk3Yi5czv3rgMAwzmG76UrsB078j5oPJ8m6esxBQ8zLH9OEpeXqMDu570wRLkCSEQPyTIakVibTOmEM

{
    "message":  "Hello+World",
    "__RequestVerificationToken": "CfDJ8ERJiHn9THRElV--1wHd1Rp9WyK4QCn6-wcGhXPDZHOFgkcjhJEBGrYgrsoDN3ETiqDId6aMvaHxmtunVp8ioxWYWAMqVqp3HU4ErpY7_lUzw1monlv7AMPY_Q2mzcP1YijG-86DgSeJXaXnpCWNl4c"
}

This returns a 400:

HTTP/1.1 400 Bad Request
Date: Sun, 25 Nov 2018 14:45:12 GMT
Server: Kestrel
Content-Length: 0

How should I pass the token when I'm POSTing JSON?

1

1 Answers

0
votes

Literally just saw the answer. The tokan should be passed as a header:

__RequestVerificationToken: CfDJ8ERJiHn9THRElV--1wHd1RqrINvuOTauZLAAg86eE91T6PHlKf21JOJVGA1TdMoksEVSlE-UWkOon2A0x1RSOqy0gQ_uSZxwQiBy8YArAowajUR1uJo3B4XAWl3abaToa8Gp8K4SPJ1hmSKjXAwzZvk