我正在使用asp.net应用程序,但是我不知道如何在asp.net中实现和验证CSRF令牌。我想在每个请求中验证这些令牌。
我在母版页中添加了以下代码:
private const string AntiXsrfTokenKey = "__AntiXsrfToken";
private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
private string _antiXsrfTokenValue;
protected void Page_Init(object sender, EventArgs e)
{
var requestCookie = Request.Cookies[AntiXsrfTokenKey];
Guid requestCookieGuidValue;
if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
{
_antiXsrfTokenValue = requestCookie.Value;
Page.ViewStateUserKey = _antiXsrfTokenValue;
}
else
{
_antiXsrfTokenValue = Guid.NewGuid().ToString("N");
Page.ViewStateUserKey = _antiXsrfTokenValue;
var responseCookie = new HttpCookie(AntiXsrfTokenKey)
{
HttpOnly = true,
Value = _antiXsrfTokenValue
};
if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
{
responseCookie.Secure = true;
}
Response.Cookies.Set(responseCookie);
}
Page.PreLoad += master_Page_PreLoad;
}
protected void master_Page_PreLoad(object sender, EventArgs e)
{
try
{
if (!IsPostBack)
{
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;
}
else
{
//Validate the Anti-XSRF token
if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
{
throw new InvalidOperationException("Validation of " + "Anti-XSRF token failed.");
}
}
}
catch (Exception ex)
{
activityLog.Write("MasterPage->PageLoad->Exception->" + ex.Message.ToString());
Session.Clear();
Session.RemoveAll();
Session.Abandon();
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddYears(-30);
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
ScriptManager.RegisterStartupScript(this, GetType(), "DeleteCookie", "DeleteCookie();", true);
Response.Redirect("Default.aspx", false);
}
}