zoukankan      html  css  js  c++  java
  • Html.AntiForgeryToken 防止伪造提交

    原文发布时间为:2011-05-03 —— 来源于本人的百度文章 [由搬家工具导入]

    In this tutorial, I am not going to discuss the concept in-depth since they have done such a fantastic job. Instead, I want to show how you can easily incorporate the Html.AntiForgeryToken HtmlHelper Method and [ValidateAntiForgeryToken] Attribute in the sample code from our first meeting:Introduction to ASP.NET MVC Screencast and Sample Code.

    This is really a two-step process:

    Add the [ValidateAntiForgeryToken] Attribute to any Post Action Methods.Add the Html.AntiForgeryToken() HtmlHelper Method to any forms posting back to the website.

     

    Let's just do this to the Edit Action Method in the ContactsController in this tutorial.

     

    [ValidateAntiForgeryToken] Attribute

    The ValidateAntiForgeryToken Attribute in the ASP.NET MVC Framework is an IAuthorizationFilter which is guaranteed to run before any other filters. You add it to your post Action Methods as such:

     

    [AcceptVerbs(HttpVerbs.Post)]

    [ValidateAntiForgeryToken]

    publicActionResultEdit(Contactcontact)

    {

        try

        {

            if (!ModelState.IsValid)

                returnView(contact);

     

            _db.Contacts.Attach(contact, true);

            _db.SubmitChanges();

     

            returnRedirectToAction("List");

        }

        catch

        {

            returnView(contact);

        }

    }

     

    The ValidateAntiForgeryToken Attribute does some voodoo magic in the background. It checks to see that the cookie and hidden form field left by the Html.AntiForgeryToken() HtmlHelper essentially exists and match. If they do not exist or match, it throws an HttpAntiForgeryException:

     

     

    You can obviously clean that exception up, but the important point is that if the cookie and form field do not exist or match the action method is not executed for security reasons. This is a good thing!

     

    Html.AntiForgeryToken HtmlHelper Method

    As mentioned before, we need to add the Html.AntiForgeryToken Method to the forms so that a cookie is added on the client and a hidden form field is added to the form itself. This is as simple as:

     

     

     

    You will notice the hidden form field in the HTML source:

     

     

    The Html.AntiForgeryToken Method will also add a cookie on your machine matching the same value in the hidden form field. It is the cookie and the hidden form field value that the ValidateAntiForgeryToken Attribute is checking.

     

    Conclusion

    Pretty simple way to protect your website against Cross-Site Request Forgery Attacks in the ASP.NET MVC Framework.

    You can add this code yourself by downloading the Tampa MVC Developer Group Screencast and sample code based on our first meeting.

  • 相关阅读:
    php setcookie(name, value, expires, path, domain, secure) 参数详解
    cookie 和session 的区别详解
    一群猴子排成一圈,按1,2,...n 编号,数到m只,踢出局,直到剩下最后一个猴子是大王
    封装数据库mysql, mysqli
    图片处理类(缩略图)
    封装验证码类
    Java多线程编程(一)
    SpringMVC 自定义拦截资料
    Python包的相对导入时出现错误的解决方法
    TCP协议总结
  • 原文地址:https://www.cnblogs.com/handboy/p/7164021.html
Copyright © 2011-2022 走看看