i have the following ajax.actionlink
which calls a Delete action method
for deleting an object:-
@if (!item.IsAlreadyAssigned(item.LabTestID))
{
string i = "Are You sure You want to delete (" + @item.Description.ToString() + ") ?";
@Ajax.ActionLink("Delete",
"Delete", "LabTest",
new { id = item.LabTestID },
new AjaxOptions
{ Confirm = i,
HttpMethod = "Post",
OnSuccess = "deletionconfirmation",
OnFailure = "deletionerror"
})
}
but is there a way to include @Html.AntiForgeryToken()
with the Ajax.actionlink
deletion call to make sure that no attacker can send a false deletion request?
BR
Modifying the answer by Bronx:
combined with this answer by Jon White
Edit sorry - realised I am re-inventing the wheel here SO asp-net-mvc-antiforgerytoken-over-ajax/16495855#16495855
You need to use the
Html.AntiForgeryToken
helper which sets a cookie and emits a hidden field with the same value. When sending the AJAX request you need to add this value to the POST data as well.So I would use a normal link instead of an Ajax link:
and then put the hidden field somewhere in the DOM (for example before the closing body tag):
and finally unobtrusively AJAXify the delete anchor:
Now you could decorate your
Delete
action with theValidateAntiForgeryToken
attribute: