我正在使用asp.net应用程序,但是我不知道如何在asp.net中实现和验证CSRF令牌。我想在每个请求中验证这些令牌。
我在母版页中添加了以下代码:
private const string AntiXsrfTokenKey = "__AntiXsrfToken"; private const string AntiXsrfUserNameKey = "__AntiXsrfUserName"; private string _antiXsrfTokenValue; protected void Page_Init(object sender, EventArgs e) { var requestCookie = Request.Cookies[AntiXsrfTokenKey]; Guid requestCookieGuidValue; if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue)) { _antiXsrfTokenValue = requestCookie.Value; Page.ViewStateUserKey = _antiXsrfTokenValue; } else { _antiXsrfTokenValue = Guid.NewGuid().ToString("N"); Page.ViewStateUserKey = _antiXsrfTokenValue; var responseCookie = new HttpCookie(AntiXsrfTokenKey) { HttpOnly = true, Value = _antiXsrfTokenValue }; if (FormsAuthentication.RequireSSL && Request.IsSecureConnection) { responseCookie.Secure = true; } Response.Cookies.Set(responseCookie); } Page.PreLoad += master_Page_PreLoad; } protected void master_Page_PreLoad(object sender, EventArgs e) { try { if (!IsPostBack) { ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey; ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty; } else { //Validate the Anti-XSRF token if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty)) { throw new InvalidOperationException("Validation of " + "Anti-XSRF token failed."); } } } catch (Exception ex) { activityLog.Write("MasterPage->PageLoad->Exception->" + ex.Message.ToString()); Session.Clear(); Session.RemoveAll(); Session.Abandon(); Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddYears(-30); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", "")); ScriptManager.RegisterStartupScript(this, GetType(), "DeleteCookie", "DeleteCookie();", true); Response.Redirect("Default.aspx", false); } }