ASP.NET MVC4/5 - Ajax 防止 CSRF攻击

前言

CSRF(Cross-site request forgery跨站请求伪造,也被称为“One Click Attack”或者Session Riding,通常缩写为CSRF或者XSRF,是一种对网站的恶意利用。本文使用ASP.NET MVC提供的AntiForgery进行安全验证

应用

一、自定义FilterAttribute过滤器

 1     /// <summary>
 2     /// 响应返回值
 3     /// </summary>
 4     public class TActionResult
 5     {
 6         /// <summary>
 7         /// 创建一个返回值
 8         /// </summary>
 9         /// <param name="content">返回值</param>
10         /// <returns></returns>
11         public static ActionResult CreateResult(string content)
12         {
13             var contentResult = new ContentResult
14             {
15          16                 Content = content,
17                 ContentEncoding = Encoding.UTF8
18             };
19             return contentResult;
20         }
21     }

 

 1     public class TValidateAntiForgeryTokenAttribute : AuthorizeAttribute
 2     {
 3         public override void OnAuthorization(AuthorizationContext filterContext)
 4         {
 5             try
 6             {
 7                 var request = filterContext.HttpContext.Request;
 8                 if (request.HttpMethod == WebRequestMethods.Http.Post)
 9                 {
10                     if (request.IsAjaxRequest())
11                     {
12                         var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];
13                         var cookieValue = antiForgeryCookie != null
14                           ? antiForgeryCookie.Value
15                           : null;
16                         //从cookies 和 Headers 中 验证防伪标记
17                         //获取token
18                         var token = request.Headers["__RequestVerificationToken"];
19                         //验证token
20                         AntiForgery.Validate(cookieValue, token);
21                     }
22                     else
23                     {
24                         new ValidateAntiForgeryTokenAttribute()
25                           .OnAuthorization(filterContext);
26                     }
27                 }
28             }
29             catch
30             {
31                 filterContext.Result = TActionResult.CreateResult("无法验证Token!");
32             }
33         }
34     }

 

 

二、视图

                @Html.AntiForgeryToken()

三、HomeController

       [TValidateAntiForgeryToken]
        public string Test()
        {
            return "Token验证通过!";
        }

 

四、Jquery使用Ajax发请求

  1. 设置全局请求头header

 

1     $.ajaxSetup({
2         beforeSend: function (xhr) {
3             //可以设置自定义标头
4             xhr.setRequestHeader('__RequestVerificationToken', $("input[name=__RequestVerificationToken][type=hidden]").val());
5  
6         }  
7     })

  2.ajax请求

   $.post("/home/test",function(msg) {
        alert(msg);
    })

 五、备注:

  1.如果Action上设置缓存,那么视图将不会再次调用@Html.AntiForgeryToken()生成新的,ajax请求还是携带上一次生成的token

你可能感兴趣的:(ASP.NET MVC4/5 - Ajax 防止 CSRF攻击)