切记ajax中要带上AntiForgeryToken防止CSRF攻击

from :https://www.jb51.net/article/73800.htm

经常看到在项目中ajax post数据到服务器不加防伪标记，造成CSRF攻击

在Asp.net Mvc里加入防伪标记很简单在表单中加入Html.AntiForgeryToken()即可。

Html.AntiForgeryToken()会生成一对加密的字符串，分别存放在Cookies 和 input 中。

我们在ajax post中也带上AntiForgeryToken

@model WebApplication1.Controllers.Person
@{
 ViewBag.Title = "Index" ;
}
Index
"form1" >
 "form-horizontal" >    Persen       @Html.ValidationSummary( true , "" , new { @class = "text-danger" })    "form-group" >     @Html.LabelFor(model => model.Name, htmlAttributes: new { @class = "control-label col-md-2" })     "col-md-10" >      @Html.EditorFor(model => model.Name, new { htmlAttributes = new { @class = "form-control" } })      @Html.ValidationMessageFor(model => model.Name, "" , new { @class = "text-danger" })           "form-group" >     @Html.LabelFor(model => model.Age, htmlAttributes: new { @class = "control-label col-md-2" })     "col-md-10" >      @Html.EditorFor(model => model.Age, new { htmlAttributes = new { @class = "form-control" } })      @Html.ValidationMessageFor(model => model.Age, "" , new { @class = "text-danger" })           "form-group" >     "col-md-offset-2 col-md-10" >      "button" id= "save" value= "Create" class= "btn btn-default" />
  Persen

  @Html.ValidationSummary( true , "" , new { @class = "text-danger" })
  "form-group" >     @Html.LabelFor(model => model.Name, htmlAttributes: new { @class = "control-label col-md-2" })     "col-md-10" >      @Html.EditorFor(model => model.Name, new { htmlAttributes = new { @class = "form-control" } })      @Html.ValidationMessageFor(model => model.Name, "" , new { @class = "text-danger" })
   @Html.LabelFor(model => model.Name, htmlAttributes: new { @class = "control-label col-md-2" })
   "col-md-10" >      @Html.EditorFor(model => model.Name, new { htmlAttributes = new { @class = "form-control" } })      @Html.ValidationMessageFor(model => model.Name, "" , new { @class = "text-danger" })
    @Html.EditorFor(model => model.Name, new { htmlAttributes = new { @class = "form-control" } })
    @Html.ValidationMessageFor(model => model.Name, "" , new { @class = "text-danger" })


  "form-group" >     @Html.LabelFor(model => model.Age, htmlAttributes: new { @class = "control-label col-md-2" })     "col-md-10" >      @Html.EditorFor(model => model.Age, new { htmlAttributes = new { @class = "form-control" } })      @Html.ValidationMessageFor(model => model.Age, "" , new { @class = "text-danger" })
   @Html.LabelFor(model => model.Age, htmlAttributes: new { @class = "control-label col-md-2" })
   "col-md-10" >      @Html.EditorFor(model => model.Age, new { htmlAttributes = new { @class = "form-control" } })      @Html.ValidationMessageFor(model => model.Age, "" , new { @class = "text-danger" })
    @Html.EditorFor(model => model.Age, new { htmlAttributes = new { @class = "form-control" } })
    @Html.ValidationMessageFor(model => model.Age, "" , new { @class = "text-danger" })


  "form-group" >     "col-md-offset-2 col-md-10" >      "button" id= "save" value= "Create" class= "btn btn-default" />
   "col-md-offset-2 col-md-10" >      "button" id= "save" value= "Create" class= "btn btn-default" />
    "button" id= "save" value= "Create" class= "btn btn-default" />




<code class="js string">"~/Scripts/jquery-1.10.2.min.js"</code> <code class="js plain">>
<code class="js string">"~/Scripts/jquery.validate.min.js"</code> <code class="js plain">>
<code class="js string">"~/Scripts/jquery.validate.unobtrusive.min.js"</code> <code class="js plain">>
<code class="js string">"text/javascript"</code> <code class="js plain">></code> </div> <div class="line number36 index35 alt1"> <code class="js spaces"> </code> <code class="js plain">$(</code> <code class="js keyword">function</code> <code class="js plain">() {</code> </div> <div class="line number37 index36 alt2"> <code class="js spaces">  </code> <code class="js comments">//var token = $('[name=__RequestVerificationToken]');</code> </div> <div class="line number38 index37 alt1"> <code class="js spaces">  </code> <code class="js comments">//获取防伪标记</code> </div> <div class="line number39 index38 alt2"> <code class="js spaces">  </code> <code class="js keyword">var</code> <code class="js plain">token = $(</code> <code class="js string">'@Html.AntiForgeryToken()'</code> <code class="js plain">).val();</code> </div> <div class="line number40 index39 alt1"> <code class="js spaces">  </code> <code class="js keyword">var</code> <code class="js plain">headers = {};</code> </div> <div class="line number41 index40 alt2"> <code class="js spaces">  </code> <code class="js comments">//防伪标记放入headers</code> </div> <div class="line number42 index41 alt1"> <code class="js spaces">  </code> <code class="js comments">//也可以将防伪标记放入data</code> </div> <div class="line number43 index42 alt2"> <code class="js spaces">  </code> <code class="js plain">headers[</code> <code class="js string">"__RequestVerificationToken"</code> <code class="js plain">] = token;</code> </div> <div class="line number44 index43 alt1"> <code class="js spaces">  </code> <code class="js plain">$(</code> <code class="js string">"#save"</code> <code class="js plain">).click(</code> <code class="js keyword">function</code> <code class="js plain">() {</code> </div> <div class="line number45 index44 alt2"> <code class="js spaces">   </code> <code class="js plain">$.ajax({</code> </div> <div class="line number46 index45 alt1"> <code class="js spaces">    </code> <code class="js plain">type: </code> <code class="js string">'POST'</code> <code class="js plain">,</code> </div> <div class="line number47 index46 alt2"> <code class="js spaces">    </code> <code class="js plain">url: </code> <code class="js string">'/Home/Index'</code> <code class="js plain">,</code> </div> <div class="line number48 index47 alt1"> <code class="js spaces">    </code> <code class="js plain">cache: </code> <code class="js keyword">false</code> <code class="js plain">,</code> </div> <div class="line number49 index48 alt2"> <code class="js spaces">    </code> <code class="js plain">headers: headers,</code> </div> <div class="line number50 index49 alt1"> <code class="js spaces">    </code> <code class="js plain">data: { Name: </code> <code class="js string">"yangwen"</code> <code class="js plain">, Age: </code> <code class="js string">"1"</code> <code class="js plain">},</code> </div> <div class="line number51 index50 alt2"> <code class="js spaces">    </code> <code class="js plain">success: </code> <code class="js keyword">function</code> <code class="js plain">(data) {</code> </div> <div class="line number52 index51 alt1"> <code class="js spaces">     </code> <code class="js plain">alert(data)</code> </div> <div class="line number53 index52 alt2"> <code class="js spaces">    </code> <code class="js plain">},</code> </div> <div class="line number54 index53 alt1"> <code class="js spaces">    </code> <code class="js plain">error: </code> <code class="js keyword">function</code> <code class="js plain">() {</code> </div> <div class="line number55 index54 alt2"> <code class="js spaces">     </code> <code class="js plain">alert(</code> <code class="js string">"Error"</code> <code class="js plain">)</code> </div> <div class="line number56 index55 alt1"> <code class="js spaces">    </code> <code class="js plain">}</code> </div> <div class="line number57 index56 alt2"> <code class="js spaces">   </code> <code class="js plain">});</code> </div> <div class="line number58 index57 alt1"> <code class="js spaces">  </code> <code class="js plain">})</code> </div> <div class="line number59 index58 alt2"> <code class="js spaces"> </code> <code class="js plain">})</code> </div> <div class="line number60 index59 alt1"> <code class="js plain">

放在cookies里面的加密字符串

控制器中代码

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Web;
using System.Web.Helpers;
using System.Web.Mvc;
namespace WebApplication1.Controllers
 {
 public class HomeController : Controller
  {
  public ActionResult Index()
   {
   return View();
   }
  [HttpPost]
  [MyValidateAntiForgeryToken]
  public ActionResult Index(Person p)
   {
   return Json( true , JsonRequestBehavior.AllowGet);
   }
  }
 public class Person
  {
  public string Name { get; set; }
  public int Age { get; set; }
  }
 public class MyValidateAntiForgeryToken : AuthorizeAttribute
  {
  public override void OnAuthorization(AuthorizationContext filterContext)
   {
   var request = filterContext.HttpContext.Request;
   if (request.HttpMethod == WebRequestMethods.Http.Post)
    {
    if (request.IsAjaxRequest())
     {
     var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];
     var cookieValue = antiForgeryCookie != null
      ? antiForgeryCookie.Value
      : null ;
     //从cookies 和 Headers 中 验证防伪标记
     //这里可以加try-catch
     AntiForgery.Validate(cookieValue, request.Headers[ "__RequestVerificationToken" ]);
     }
    else
     {
     new ValidateAntiForgeryTokenAttribute()
      .OnAuthorization(filterContext);
     }
    }
   }
  }
 }

这里注释掉ajax中防伪标记在请求

$( "#save" ).click( function () {
 $.ajax({
  type: 'POST' ,
  url: '/Home/Index' ,
  cache: false ,
 //  headers: headers,
  data: { Name: "yangwen" , Age: "1" },
  success: function (data) {
   alert(data)
  },
  error: function () {
   alert( "Error" )
  }
 });
})

默认返回500的状态码。

这里修改ajax中的防伪标记

  $( function () {
 //var token = $('[name=__RequestVerificationToken]');
 //获取防伪标记
 var token = $( '@Html.AntiForgeryToken()' ).val();
 var headers = {};
 //防伪标记放入headers
 //也可以将防伪标记放入data
 headers[ "__RequestVerificationToken" ] = token+11111111111111111111111111111111111;
 $( "#save" ).click( function () {
  $.ajax({
   type: 'POST' ,
   url: '/Home/Index' ,
   cache: false ,
    headers: headers,
   data: { Name: "yangwen" , Age: "1" },
   success: function (data) {
    alert(data)
   },
   error: function () {
    alert( "Error" )
   }
  });
 })
})

也是500的状态码。

以上内容就是本文的全部叙述，切记ajax中要带上AntiForgeryToken防止CSRF攻击，小伙伴们在使用过程发现有疑问，请给我留言，谢谢！