zoukankan      html  css  js  c++  java
  • Html.AntiForgeryToken 防止伪造提交

    原文发布时间为:2011-05-03 —— 来源于本人的百度文章 [由搬家工具导入]

    In this tutorial, I am not going to discuss the concept in-depth since they have done such a fantastic job. Instead, I want to show how you can easily incorporate the Html.AntiForgeryToken HtmlHelper Method and [ValidateAntiForgeryToken] Attribute in the sample code from our first meeting:Introduction to ASP.NET MVC Screencast and Sample Code.

    This is really a two-step process:

    Add the [ValidateAntiForgeryToken] Attribute to any Post Action Methods.Add the Html.AntiForgeryToken() HtmlHelper Method to any forms posting back to the website.

     

    Let's just do this to the Edit Action Method in the ContactsController in this tutorial.

     

    [ValidateAntiForgeryToken] Attribute

    The ValidateAntiForgeryToken Attribute in the ASP.NET MVC Framework is an IAuthorizationFilter which is guaranteed to run before any other filters. You add it to your post Action Methods as such:

     

    [AcceptVerbs(HttpVerbs.Post)]

    [ValidateAntiForgeryToken]

    publicActionResultEdit(Contactcontact)

    {

        try

        {

            if (!ModelState.IsValid)

                returnView(contact);

     

            _db.Contacts.Attach(contact, true);

            _db.SubmitChanges();

     

            returnRedirectToAction("List");

        }

        catch

        {

            returnView(contact);

        }

    }

     

    The ValidateAntiForgeryToken Attribute does some voodoo magic in the background. It checks to see that the cookie and hidden form field left by the Html.AntiForgeryToken() HtmlHelper essentially exists and match. If they do not exist or match, it throws an HttpAntiForgeryException:

     

     

    You can obviously clean that exception up, but the important point is that if the cookie and form field do not exist or match the action method is not executed for security reasons. This is a good thing!

     

    Html.AntiForgeryToken HtmlHelper Method

    As mentioned before, we need to add the Html.AntiForgeryToken Method to the forms so that a cookie is added on the client and a hidden form field is added to the form itself. This is as simple as:

     

     

     

    You will notice the hidden form field in the HTML source:

     

     

    The Html.AntiForgeryToken Method will also add a cookie on your machine matching the same value in the hidden form field. It is the cookie and the hidden form field value that the ValidateAntiForgeryToken Attribute is checking.

     

    Conclusion

    Pretty simple way to protect your website against Cross-Site Request Forgery Attacks in the ASP.NET MVC Framework.

    You can add this code yourself by downloading the Tampa MVC Developer Group Screencast and sample code based on our first meeting.

  • 相关阅读:
    win8.1下解决Visual C++不兼容的方法
    Java文件File类学习总结
    Java可视化日历(Date类、DATe Format类、Calendar类综合运用),开发可视化日历小程序
    java时间日期类(Date、DateFormat、Calendar)学习
    使用SimpleDateFormat类来实现时间跟字符串的转化
    Java中运行时异常和非运行时异常什么鬼?
    Java构造器练习题
    Word中一条删除不掉的单或双横线的解决办法
    Java中常用类(包装类扩展知识)
    Java异常学习总结二
  • 原文地址:https://www.cnblogs.com/handboy/p/7164021.html
Copyright © 2011-2022 走看看