Convert ASP.NET MVC4 SPA AntiForgeryToken to PhoneGap

Question

I do have SPA application that use some functionality of ASP.NET MVC4 like AntiForgeryToken.

I don't know how to implement AntiForgeryToken functionality in HTML without use of CSHTML which is not supported in Phonegap?

Answer 1

The current implementation of the AntiForgery token in ASP.NET MVC relies on the HTML helper which generates a hidden input field and sets a cookie. If you cannot use this helper you will have to roll this functionality by yourself.

Answer 2

I think there is a secure way to implement an anti-forgery token without a server generated page:

1. Create a controller or web api method that sets an HTTP only cookie with your anti-forgery token value and returns the anti-forgery token value (as JSON). There is a public method AntiForgery.GetTokens() that is called by Html.AntiForgeryToken(). Use this method to read the token value in C# code.
2. Call the controller or web api method (in step 1) from javascript in your phonegap app and take the returned anti-forgery token and add it to the form using javascript (use a hidden input field named _RequstVerificationToken).
3. Submit the form to a method attributed with [ValidateAntiForgeryToken] and it should validate appropriately.

Microsoft has provided a very similar example implementation here (see section titled 'Anti-CSRF and AJAX').

On the surface this may seem insecure because you have a controller method that sets and returns the anti-forgery token, but web browsers enforce the same origin security policy, so XSRF attacks should not be possible.

Since phonegap uses local files it is not subject to the same origin policy (see here) so it will be able to make AJAX requests to any domain specified in your config.xml (see <access origin="..." /> here)