ASP.NET MVC-所有类型的请求
I am referencing the official Microsoft documentation for CSRF vulnerabilities:
我正在为ASP.NET MVC应用程序添加保护,其中i 不能保证get请求没有任何副作用。该应用程序很大。我决定应用所有请求中讨论的解决方案。但是,我对未用于提交请求的表格的请求的工作方式感到困惑。
我有此登录表格:
<form action="~/Account/Login" method="post">
@Html.AntiForgeryToken()
<div id="loginView">
<h3>Login</h3>
<ul>
<li><label for="UserName">User Name:</label> <input id="UserName" name="UserName" type="text" value="" /></li>
<li><label for="Password">Password:</label> <input type="password" id="Password" name="Password" value="" /></li>
<li><input name="submit" type="submit" id="loginSubmit" value="Log In" /></li>
</ul>
</div>
</form>
整个应用程序中都有其他几个@html.antiforgerytoken()。用户登录后,用户在后台提出请求等。
__ requestVerificationToken是否可以从登录表单中使用以验证所有其他请求? Microsoft文档指出,为AJAX请求执行此操作:
<script>
@functions{
public string TokenHeaderValue()
{
string cookieToken, formToken;
AntiForgery.GetTokens(null, out cookieToken, out formToken);
return cookieToken + ":" + formToken;
}
}
$.ajax("api/values", {
type: "post",
contentType: "application/json",
data: { }, // JSON data goes here
dataType: "json",
headers: {
'RequestVerificationToken': '@TokenHeaderValue()'
}
});
</script>
我对此的理解是,tokenheadervalue()将放置在某些全局文件中。然后,我将不得不将令牌添加为所有请求的标题。
最后,在执行每个控制器方法之前,我必须验证令牌。我认为这与此相似:
void ValidateRequestHeader(HttpRequestMessage request)
{
string cookieToken = "";
string formToken = "";
IEnumerable<string> tokenHeaders;
if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))
{
string[] tokens = tokenHeaders.First().Split(':');
if (tokens.Length == 2)
{
cookieToken = tokens[0].Trim();
formToken = tokens[1].Trim();
}
}
AntiForgery.Validate(cookieToken, formToken);
}
我错过了什么吗?方法正确吗?
I am referencing the official Microsoft documentation for CSRF vulnerabilities: https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks
I am adding protection to an ASP.NET MVC application where I CANNOT guarantee that GET requests do not have any side effects. The application is fairly large. I have decided to apply the solution discussed in the doc for ALL requests in the application. However, I am getting confused about how this works for requests where a form is not used to submit the request.
I have this login form:
<form action="~/Account/Login" method="post">
@Html.AntiForgeryToken()
<div id="loginView">
<h3>Login</h3>
<ul>
<li><label for="UserName">User Name:</label> <input id="UserName" name="UserName" type="text" value="" /></li>
<li><label for="Password">Password:</label> <input type="password" id="Password" name="Password" value="" /></li>
<li><input name="submit" type="submit" id="loginSubmit" value="Log In" /></li>
</ul>
</div>
</form>
There are several other @Html.AntiForgeryToken() throughout the application. Once the user logs in, requests are made in the background, by the user, etc.
Can the __RequestVerificationToken from the login form be used to verify all the other requests? The Microsoft documentation states to do this for Ajax requests:
<script>
@functions{
public string TokenHeaderValue()
{
string cookieToken, formToken;
AntiForgery.GetTokens(null, out cookieToken, out formToken);
return cookieToken + ":" + formToken;
}
}
$.ajax("api/values", {
type: "post",
contentType: "application/json",
data: { }, // JSON data goes here
dataType: "json",
headers: {
'RequestVerificationToken': '@TokenHeaderValue()'
}
});
</script>
My understanding of this is that TokenHeaderValue() will be placed in some global file. Then, I'll have to add the token as a header for ALL requests.
Finally, I'll have to validate the token before each controller method is executed. I assume this is similar to this:
void ValidateRequestHeader(HttpRequestMessage request)
{
string cookieToken = "";
string formToken = "";
IEnumerable<string> tokenHeaders;
if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))
{
string[] tokens = tokenHeaders.First().Split(':');
if (tokens.Length == 2)
{
cookieToken = tokens[0].Trim();
formToken = tokens[1].Trim();
}
}
AntiForgery.Validate(cookieToken, formToken);
}
Am I missing anything? Is the approach correct?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论