Yes. DNN Platform is a free, open-source CMS under the MIT License.

What is the tech stack for DNN?

DNN runs on ASP.NET (.NET Framework 4.8+) with Microsoft SQL Server (2017+ or Azure SQL).

DNN Platform is community-led and a member project of the .NET Foundation.

What’s the difference between DNN and Evoq?

DNN Platform is the open-source core that's been wildly popular and adopted for over 20 years. Evoq is a commercial offering maintained by DNN Software (IgniteTech) that builds on DNN.

DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.

AntiForgeryVerification not working

8 Replies

0 Subscribed to this topic

26 Subscribed to this forum

Sort:

Author

Messages

Alon

New Around Here

Posts: 10

5/27/2024 7:50 AM

Hi,

I'm writing a C# Module for DotNetNuke 9.13 and I'm having issues with the AntiForgeryToken. When I decorate the post method with [HttpPost] and [DotNetNuke.Web.Mvc.Framework.ActionFilters.ValidateAntiForgeryToken] I get an HTTP 401 error when I submit my form.
If I remove the [DotNetNuke.Web.Mvc.Framework.ActionFilters.ValidateAntiForgeryToken] attribute then it works. When I check the page source BEFORE I click the submit button, I can see that the __RequestVerificationToken field inside the form, but when the form is posted, it is not present in the payload being sent (viewed using Fiddler).

There's nothing special with my cshtml form - the main body of it is this:

<code>                < div id="PaymentDetails" class="paymentDetails">
                    < div>
                        < label>@Dnn.LocalizeString("lblPaymentReference") *< /label>
                        @Html.TextBoxFor(m => m.Details.Reference)
                        < span>@Dnn.LocalizeString("lblPaymentReferenceExplanation")< /span>
                        @Html.ValidationMessageFor(m => m.Details.Reference, @Dnn.LocalizeString("ReferenceRequired"))
                    < /div>
                < /div>
                < div id="Actions" class="margins-tlr-15 padded">
                    < button type="submit" class="dnnPrimaryAction">@Dnn.LocalizeString("Submit")< /button>
                < /div></code>

My controller has the following method:

<code>        &#91;HttpPost&#93;
        &#91;DotNetNuke.Web.Mvc.Framework.ActionFilters.ValidateAntiForgeryToken&#93;
        public ActionResult ManualPayment(DtoMakePayment makePayment)
        {
            return RedirectToDefaultRoute();
        }</code>

When I remove the [DotNetNuke.Web.Mvc.Framework.ActionFilters.ValidateAntiForgeryToken] attribute - then my form posts correctly.

I've looked at the Dnn.ContactList.Mvc sample module - it looks to be implemented the same as what I have, except that my code is not working.

Any help would be greatly appreciated.

Thanx,
Alon

Daniel Valadas

Veteran Member

Posts: 349

Helpful Replier

MVP

Engaged Reader

Avid Reader

5/28/2024 3:57 AM

If you are not using webforms, then you can't just use a submit button. You need to do a API call yourself and you can use DnnServicesFramework utilities to inject the token with the headers together with everything DNN might need to know for your module context, etc.

There is a jQuery plugin provided by DNN and always available, you can find an example of usage here https://www.dnnsoftware.c...mework-mvc-to-webapi

If you want a version of that, but without jQuery, all the information in there but you would have to roll up your own little bit of javascript/typescript, you can find inspiration here: https://github.com/DNNCom...ServicesFramework.ts

David Poindexter

Veteran Member

Posts: 360

Helpful Replier

MVP

5/28/2024 5:14 PM

Here are a few sample projects for reference's sake on how to handle this.

HTML/JS (SPA)
https://github.com/DNNCom...y/starter-module-spa

MVC
https://github.com/DNNCom...y/starter-module-mvc

Web API
https://github.com/DNNCommunity/starter-web-api

Web Forms
https://github.com/DNNCom...ter-module-web-forms

Alon

New Around Here

Posts: 10

5/29/2024 2:49 AM

Hi,

Thanx for your response - muchn appreciated.

I'm using MVC with Razor script - not webforms.
When I remove the AntiforgeryToken attribute - I can see that the corect methodin my controller is being called and everything is working, so I know that things are hooked up correctly. It just stops working when I put the attribute back on my method.

I'm currently not using JavaScript to submit the form - it is just a plain old submit button - using theDNN platform to submit.

The thing I don't understand is this:

I can see the hidden antifogery token in the form when I view the source code, but when I submit the form, I can see that the token is stripped from the payload being sent to the server (viewed in browser development tools).

Thanx,

Alon

New Around Here

Posts: 10

5/29/2024 3:00 AM

Hi David,

Many thanks for responding to this post - I really appreciate it.

I based my code on the DnnSoftware MVC sample by Charles Nurse : https://github.com/dnnsof...Platform.Samples.Mvc

I don't see any obvious difference between my method and the one in the MVC sample - except that mine doesn't work and the sample does.

Thanx,
Alon

Alon

New Around Here

Posts: 10

5/29/2024 4:46 AM

A bit more detail / information:

In both my module and the DnnSoftware MVC sample, the Edit form is a popup.

Upon further investigation, I could see that the parent page had the __RequestVerificationToken in a hidden field, but my popup page did not.
When compared to the DNN MVC sample - that popup page did have the field in it.

To work around the issue, I simply created a hidden field and copied the token from the parent page.

This works, but i still don't understand why the field is missing in the first instance.

David Poindexter

Veteran Member

Posts: 360

Helpful Replier

MVP

5/29/2024 11:19 AM

You may find this line helpful:
https://github.com/DNNCom...ngsController.cs#L34

It is also used in the sample project you referenced:
https://github.com/dnnsof...actController.cs#L74

Alon

New Around Here

Posts: 10

6/1/2024 2:25 AM

Hi David,

If you look at my original post - my method has the attribute decoration, but it still didn't work.

Thanx,
Alon

David Poindexter

Veteran Member

Posts: 360

Helpful Replier

MVP

6/1/2024 11:38 AM

Alon,

You are more than welcome to join our Friday co-coding sessions on Discord (2 pm EDT). Here is a link to the event:

https://discord.gg/Y3NKUC...=1218260562006376468

Just another couple of random thoughts...do you have a [DnnHandleError] decorator on your class? Or perhaps a [DnnModuleAuthorize] decorator?

These Forums are for the discussion of the open source CMS DNN platform and ecosystem.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

If you have (suspected) security issues, please DO NOT post them in the forums but instead follow the official DNN security policy.
No Advertising. This includes the promotion of commercial and non-commercial products or services which are not directly related to DNN.
No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
No Flaming or Trolling.
No Profanity, Racism, or Prejudice.
Site Moderators have the final word on approving / removing a thread or post or comment.
English language posting only, please.

Would you like to help us?

Awesome! Simply post in the forums using the link below and we'll get you started.

Get Involved