You are viewing limited content. For full access, please sign in.

Question

Question

How to create a __requestverificationtoken anti forgery token in Workflow?

Workflow
Updated February 9, 2017
asked on January 19, 2017

Hi all,

I have a website that I'd like to post to. I can get through the login screen OK. At least it looks like I can. However, when I try to POST my JSON data, the website kicks me out to the log in page again.

I've been able to determine that the reason for this is I'm missing an antiforgery token, specifically: __requestverificationtoken

I suspect I can create the data using a VB.Net script. Has anyone got any idea how or experience in doing this?

Regards,

 

Ben

 

0 0

Answer

SELECTED ANSWER
replied on January 19, 2017

Try running a GET for the page first and scrapping the token off the page with pattern matching. Then pass it in your POST.

2 0
View 2 previous replies
replied on January 19, 2017

Right, the point is that it's not possible to create one of these tokens yourself, the server gives it to you in the body of the form and you have to pass it back.

1 0
replied on January 20, 2017

Hi Brian and Miruna,

Thanks for your replies.

I'm able to get the cookie from the customer's website. And I thought I was using it correctly but After loging in, getting the token, and passing it back when I POST my data, I'm being kicked out to the login page again. I realise this technically doesn't come under LF support but would either of you have time to look over this challenge and fix my workflow?

-Ben

0 0
replied on January 20, 2017

Are you also passing back the cookie with the web request?  You need your POST to exactly match what a browser would do.  You can use the browser's developer tools to see what it sends.  Typically the most important things would be the cookies and the CSRF token (and of course the form body), but it's impossible to say that other headers aren't taken into account.  For instance, it wouldn't be out of the question for the user-agent string to be significant.  Only the author of the web application can tell you what it's using to validate requests.

0 0
replied on January 21, 2017

I thought I was passing back everything. I used fiddler to check the back and forth and thought I had everything in place. Might be easier to show you in Long Beach.

 

 

 

0 0
replied on February 9, 2017

Miruna, Brian & Ed H.,

This is working very well now.

Thanks for your assistance.

-Ben

1 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...