zoukankan      html  css  js  c++  java
  • Preventing CSRF With Ajax

    https://stackoverflow.com/a/24394578/3782855

    You don't need the ValidationHttpRequestWrapper solution since MVC 4. According to this link.

    1. Put the token in the headers.
    2. Create a filter.
    3. Put the attribute on your method.

    Here is my solution:

    var token = $('input[name="__RequestVerificationToken"]').val();
    var headers = {};
    headers['__RequestVerificationToken'] = token;
    $.ajax({
        type: 'POST',
        url: '/MyTestMethod',
        contentType: 'application/json; charset=utf-8',
        headers: headers,
        data: JSON.stringify({
            Test: 'test'
        }),
        dataType: "json",
        success: function () {},
        error: function (xhr) {}
    });
    [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
    public class ValidateJsonAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
    {
        public void OnAuthorization(AuthorizationContext filterContext)
        {
            if (filterContext == null)
            {
                throw new ArgumentNullException("filterContext");
            }
    
            var httpContext = filterContext.HttpContext;
            var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName];
            AntiForgery.Validate(cookie != null ? cookie.Value : null, httpContext.Request.Headers["__RequestVerificationToken"]);
        }
    }
    
    
    [HttpPost]
    [AllowAnonymous]
    [ValidateJsonAntiForgeryToken]
    public async Task<JsonResult> MyTestMethod(string Test)
    {
        return Json(true);
    }

    Updated Anti-XSRF Validation for ASP.NET MVC 4 RC

    Preventing CSRF With Ajax

    You can try to apply the ValidateAntiForgeryTokenAttribute attribute to an action method, but it will fail every time if you try to post JSON encoded data to the action method. On one hand, the most secure action possible is one that rejects every request. On the other hand, that’s a lousy user experience.

    The problem lies in the fact that the under the hood, deep within the call stack, the attribute peeks into the Request.Form collection to grab the anti-forgery token. But when you post JSON encoded data, there is no form collection to speak of. We hope to fix this at some point and with a more flexible set of anti-forgery helpers. But for the moment, we’re stuck with this.

       

  • 相关阅读:
    MySQLHA系列MHA(一)
    VS找不到约束
    Android开发被添加到桌面快捷方式
    Oracle查看和修改其最大的游标数
    Sde表结构分析
    SDE+ORACLE优化配置
    sqlplus常用命令
    ArcGIS 开发的一些知识学习点
    1.ireport基本使用
    java.net.ProtocolException: Exceeded stated content-length of: '13824' bytes
  • 原文地址:https://www.cnblogs.com/chucklu/p/11649821.html
Copyright © 2011-2022 走看看