http://stackoverflow.com/questions/29939566/preventing-cross-site-request-forgery-csrf-attacks-in-asp-net-web-forms
1.在Master页面添加以下代码
C#
public partial class SiteMaster : MasterPage { private const string AntiXsrfTokenKey = "__AntiXsrfToken"; private const string AntiXsrfUserNameKey = "__AntiXsrfUserName"; private string _antiXsrfTokenValue; protected void Page_Init(object sender, EventArgs e) { //First, check for the existence of the Anti-XSS cookie var requestCookie = Request.Cookies[AntiXsrfTokenKey]; Guid requestCookieGuidValue; //If the CSRF cookie is found, parse the token from the cookie. //Then, set the global page variable and view state user //key. The global variable will be used to validate that it matches //in the view state form field in the Page.PreLoad method. if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue)) { //Set the global token variable so the cookie value can be //validated against the value in the view state form field in //the Page.PreLoad method. _antiXsrfTokenValue = requestCookie.Value; //Set the view state user key, which will be validated by the //framework during each request Page.ViewStateUserKey = _antiXsrfTokenValue; } //If the CSRF cookie is not found, then this is a new session. else { //Generate a new Anti-XSRF token _antiXsrfTokenValue = Guid.NewGuid().ToString("N"); //Set the view state user key, which will be validated by the //framework during each request Page.ViewStateUserKey = _antiXsrfTokenValue; //Create the non-persistent CSRF cookie var responseCookie = new HttpCookie(AntiXsrfTokenKey) { //Set the HttpOnly property to prevent the cookie from //being accessed by client side script HttpOnly = true, //Add the Anti-XSRF token to the cookie value Value = _antiXsrfTokenValue }; //If we are using SSL, the cookie should be set to secure to //prevent it from being sent over HTTP connections if (FormsAuthentication.RequireSSL && Request.IsSecureConnection) { responseCookie.Secure = true; } //Add the CSRF cookie to the response Response.Cookies.Set(responseCookie); } Page.PreLoad += master_Page_PreLoad; } protected void master_Page_PreLoad(object sender, EventArgs e) { //During the initial page load, add the Anti-XSRF token and user //name to the ViewState if (!IsPostBack) { //Set Anti-XSRF token ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey; //If a user name is assigned, set the user name ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty; } //During all subsequent post backs to the page, the token value from //the cookie should be validated against the token in the view state //form field. Additionally user name should be compared to the //authenticated users name else { //Validate the Anti-XSRF token if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty)) { throw new InvalidOperationException("Validation of " + "Anti-XSRF token failed."); } } } }
VB.NET
Private Const AntiXsrfTokenKey As String = "__AntiXsrfToken" Private Const AntiXsrfUserNameKey As String = "__AntiXsrfUserName" Private _antiXsrfTokenValue As String Protected Sub Page_Init(sender As Object, e As EventArgs) Handles Me.Init ' The code below helps to protect against XSRF attacks Dim requestCookie = Request.Cookies(AntiXsrfTokenKey) Dim requestCookieGuidValue As Guid If requestCookie IsNot Nothing AndAlso Guid.TryParse(requestCookie.Value, requestCookieGuidValue) Then ' Use the Anti-XSRF token from the cookie _antiXsrfTokenValue = requestCookie.Value Page.ViewStateUserKey = _antiXsrfTokenValue Else ' Generate a new Anti-XSRF token and save to the cookie _antiXsrfTokenValue = Guid.NewGuid().ToString("N") Page.ViewStateUserKey = _antiXsrfTokenValue Dim responseCookie = New HttpCookie(AntiXsrfTokenKey) responseCookie.HttpOnly = True responseCookie.Value = _antiXsrfTokenValue If FormsAuthentication.RequireSSL AndAlso Request.IsSecureConnection Then responseCookie.Secure = True End If Response.Cookies.Set(responseCookie) End If AddHandler Page.PreLoad, AddressOf master_Page_PreLoad End Sub Protected Sub master_Page_PreLoad(sender As Object, e As EventArgs) If Not IsPostBack Then ' Set Anti-XSRF token ViewState(AntiXsrfTokenKey) = Page.ViewStateUserKey ViewState(AntiXsrfUserNameKey) = If(Context.User.Identity.Name, [String].Empty) Else ' Validate the Anti-XSRF token If DirectCast(ViewState(AntiXsrfTokenKey), String) <> _antiXsrfTokenValue OrElse DirectCast(ViewState(AntiXsrfUserNameKey), String) <> (If(Context.User.Identity.Name, [String].Empty)) Then Throw New InvalidOperationException("Validation of Anti-XSRF token failed.") End If End If End Sub
2.logout的时候清除相关cookie(这里很重要,否则没有效果)
Session.Abandon() 'delete the session and antixsrfToken cookies Dim sessionCookie = Response.Cookies("ASP.NET_SessionId") Dim antiCookie = Response.Cookies("__AntiXsrfToken") sessionCookie.Expires = DateTime.Now.AddHours(-2) antiCookie.Expires = DateTime.Now.AddHours(-2) Response.Cookies.Add(sessionCookie) Response.Cookies.Add(antiCookie) Response.Redirect("./login.aspx", False)