Hi. We have recently move a web site to a new Windows 2019 server. On that new server, we noticed that all ajax posts, when using https, are not validating anti forgery token any more. The web site works fine on older versions of Windows server.
Our ajax calls look like this:
$.ajax({ url: "@Url.Content("~/DesktopModules/MVC/ModuleName/Controller/Action")", type: 'POST', data: { 'itemId' : itemId }, headers: { "ModuleId": @Dnn.ModuleContext.ModuleId, "TabId": @Dnn.ModuleContext.TabId, "RequestVerificationToken": $("input[name='__RequestVerificationToken']").val() }, success: function (data) { // Removed }, error: function (jqXHR, textStatus, errorThrown) { // Removed } });
By inspecting the post header, I can confirm that the token is properly sent to server. But we get a 401 error.
If we add the token in data with name __RequestVerificationToken, it works fine. If we only use http, it also works fine. So the anti forgery token is not validated only if it's sent in header on Windows 2019 with https enabled. Is this something expected/known or a bug? I have not found any information about this case.
These Forums are dedicated to the discussion of DNN Platform.
For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:
Awesome! Simply post in the forums using the link below and we'll get you started.