如何使用ajax请求验证 CSRF 令牌,我在 site.master 页面添加了一些代码。
private const string AntiXsrfTokenKey = "__AntiXsrfToken";
private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
private string _antiXsrfTokenValue;
protected void Page_Init(object sender, EventArgs e)
{
if (!Request.Url.AbsolutePath.Contains("HtmlRender.aspx"))
{
//First, check for the existence of the Anti-XSS cookie
var requestCookie = Request.Cookies[AntiXsrfTokenKey];
Int32 requestCookieGuidValue;
//If the CSRF cookie is found, parse the token from the cookie.
//Then, set the global page variable and view state user
//key. The global variable will be used to validate that it matches
//in the view state form field in the Page.PreLoad method.
if (requestCookie != null
&& Int32.TryParse(requestCookie.Value, out requestCookieGuidValue))
{
//Set the global token variable so the cookie value can be
//validated against the value in the view state form field in
//the Page.PreLoad method.
_antiXsrfTokenValue = requestCookie.Value;
//Set the view state user key, which will be validated by the
//framework during each request
Page.ViewStateUserKey = _antiXsrfTokenValue;
}
//If the CSRF cookie is not found, then this is a new session.
else
{
//Generate a new Anti-XSRF token
_antiXsrfTokenValue = Guid.NewGuid().ToString("N");
//Set the view state user key, which will be validated by the
//framework during each request
Page.ViewStateUserKey = _antiXsrfTokenValue;
//Create the non-persistent CSRF cookie
var responseCookie = new HttpCookie(AntiXsrfTokenKey)
{
//Set the HttpOnly property to prevent the cookie from
//being accessed by client side script
HttpOnly = true,
//Add the Anti-XSRF token to the cookie value
Value = _antiXsrfTokenValue
};
//If we are using SSL, the cookie should be set to secure to
//prevent it from being sent over HTTP connections
if (FormsAuthentication.RequireSSL &&
Request.IsSecureConnection)
{
responseCookie.Secure = true;
}
//Add the CSRF cookie to the response
Response.Cookies.Set(responseCookie);
}
Page.PreLoad += master_Page_PreLoad;
}
}
protected void master_Page_PreLoad(object sender, EventArgs e)
{
//During the initial page load, add the Anti-XSRF token and user
//name to the ViewState
if (!IsPostBack)
{
//Set Anti-XSRF token
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
//If a user name is assigned, set the user name
ViewState[AntiXsrfUserNameKey] =
Context.User.Identity.Name ?? String.Empty;
}
//During all subsequent post backs to the page, the token value from
//the cookie should be validated against the token in the view state
//form field. Additionally user name should be compared to the
//authenticated users name
else
{
//Validate the Anti-XSRF token
if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
|| (string)ViewState[AntiXsrfUserNameKey] !=
(Context.User.Identity.Name ?? String.Empty))
{
throw new InvalidOperationException("Validation of " +
"Anti-XSRF token failed.");
}
}
}
当我单击未使用母版页的保存按钮save.aspx时,如何使用ajax请求进行验证?
以下是在cookies中设置
Cookie:ASP.NET_SessionId=luzxp1452vhz133aqzp4apyg; __AntiXsrfToken=9df60e2882254df58e24093b65a4fccb
下面是我的ajax javascript
function save_data(AJAX, save_fun) {
var sPath = window.location.pathname;
sPath = sPath.substring(sPath.lastIndexOf('/') + 1);
AJAX.addData('PageName', sPath);
AJAX.action = 'C'; ///Custom
AJAX.showProgress(true);
AJAX.addHeaderAction(AJAX.action);
AJAX.createXMLreq();
AJAX.xmlhttp = AJAX.getAjaxObject();
AJAX.xmlhttp.onreadystatechange = function () {
if (AJAX.xmlhttp.readyState == 4 && AJAX.xmlhttp.status == 200) {
AJAX.resXML = AJAX.xmlhttp;
} else {
AJAX.showProgress(true);
}
}
AJAX.xmlhttp.open("POST", "save.aspx", true);
AJAX.xmlhttp.send(AJAX.reqXML);
}
答案 0 :(得分:1)
我发现使用System.Web.Helpers.AntiForgery命名空间要容易得多。似乎做了所有的工作。
请看这里的第二个答案:preventing cross-site request forgery (csrf) attacks in asp.net web forms