码迷,mamicode.com
首页 > Web开发 > 详细

Preventing CSRF With Ajax

时间:2019-10-10 18:40:25      阅读:117      评论:0      收藏:0      [点我收藏+]

标签:ever   cookie   encode   asp   ken   NPU   new   sage   pos   

https://stackoverflow.com/a/24394578/3782855

You don‘t need the ValidationHttpRequestWrapper solution since MVC 4. According to this link.

  1. Put the token in the headers.
  2. Create a filter.
  3. Put the attribute on your method.

Here is my solution:

var token = $(‘input[name="__RequestVerificationToken"]‘).val();
var headers = {};
headers[‘__RequestVerificationToken‘] = token;
$.ajax({
    type: ‘POST‘,
    url: ‘/MyTestMethod‘,
    contentType: ‘application/json; charset=utf-8‘,
    headers: headers,
    data: JSON.stringify({
        Test: ‘test‘
    }),
    dataType: "json",
    success: function () {},
    error: function (xhr) {}
});

 

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
public class ValidateJsonAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext == null)
        {
            throw new ArgumentNullException("filterContext");
        }

        var httpContext = filterContext.HttpContext;
        var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName];
        AntiForgery.Validate(cookie != null ? cookie.Value : null, httpContext.Request.Headers["__RequestVerificationToken"]);
    }
}


[HttpPost]
[AllowAnonymous]
[ValidateJsonAntiForgeryToken]
public async Task<JsonResult> MyTestMethod(string Test)
{
    return Json(true);
}

 

Updated Anti-XSRF Validation for ASP.NET MVC 4 RC

Preventing CSRF With Ajax

You can try to apply the ValidateAntiForgeryTokenAttribute attribute to an action method, but it will fail every time if you try to post JSON encoded data to the action method. On one hand, the most secure action possible is one that rejects every request. On the other hand, that’s a lousy user experience.

The problem lies in the fact that the under the hood, deep within the call stack, the attribute peeks into the Request.Form collection to grab the anti-forgery token. But when you post JSON encoded data, there is no form collection to speak of. We hope to fix this at some point and with a more flexible set of anti-forgery helpers. But for the moment, we’re stuck with this.

   

 

Preventing CSRF With Ajax

标签:ever   cookie   encode   asp   ken   NPU   new   sage   pos   

原文地址:https://www.cnblogs.com/chucklu/p/11649821.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!