前言
CSRF(Cross-site request forgery跨站请求伪造,也被称为“One Click Attack”或者Session Riding,通常缩写为CSRF或者XSRF,是一种对网站的恶意利用。本文使用ASP.NET MVC提供的AntiForgery进行安全验证
应用
一、自定义FilterAttribute过滤器
/// <summary>
/// 响应返回值
/// </summary>
public class TActionResult
{
/// <summary>
/// 创建一个返回值
/// </summary>
/// <param name="content">返回值</param>
/// <returns></returns>
public static ActionResult CreateResult(string content)
{
var contentResult = new ContentResult
{
Content = content,
ContentEncoding = Encoding.UTF8
};
return contentResult;
}
}
public class TValidateAntiForgeryTokenAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
try
{
var request = filterContext.HttpContext.Request;
if (request.HttpMethod == WebRequestMethods.Http.Post)
{
if (request.IsAjaxRequest())
{
var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];
var cookieValue = antiForgeryCookie != null
? antiForgeryCookie.Value
: null;
//从cookies 和 Headers 中 验证防伪标记
//获取token
var token = request.Headers["__RequestVerificationToken"];
//验证token
AntiForgery.Validate(cookieValue, token);
}
else
{
new ValidateAntiForgeryTokenAttribute()
.OnAuthorization(filterContext);
}
}
}
catch
{
filterContext.Result = TActionResult.CreateResult("无法验证Token!");
}
}
}
二、视图
@Html.AntiForgeryToken()
三、HomeController
[TValidateAntiForgeryToken]
public string Test()
{
return "Token验证通过!";
}
四、Jquery使用Ajax发请求
1. 设置全局请求头header
$.ajaxSetup({
beforeSend: function (xhr) {
//可以设置自定义标头
xhr.setRequestHeader('__RequestVerificationToken', $("input[name=__RequestVerificationToken][type=hidden]").val());
}
})
2.ajax请求
$.post("/home/test",function(msg) {
alert(msg);
})
五、备注:
1.如果Action上设置缓存,那么视图将不会再次调用@Html.AntiForgeryToken()生成新的,ajax请求还是携带上一次生成的token