ASP.NET MVC4/5 - Ajax 防止 CSRF攻击

前言

CSRF（Cross-site request forgery跨站请求伪造，也被称为“One Click Attack”或者Session Riding，通常缩写为CSRF或者XSRF，是一种对网站的恶意利用。本文使用ASP.NET MVC提供的AntiForgery进行安全验证

应用

一、自定义FilterAttribute过滤器

/// <summary>
/// 响应返回值
/// </summary>
public class TActionResult
{
/// <summary>
/// 创建一个返回值
/// </summary>
/// <param name="content">返回值</param>
/// <returns></returns>
public static ActionResult CreateResult(string content)
{
var contentResult = new ContentResult
{
Content = content,
ContentEncoding = Encoding.UTF8
};
return contentResult;
}
}

public class TValidateAntiForgeryTokenAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
try
{
var request = filterContext.HttpContext.Request;
if (request.HttpMethod == WebRequestMethods.Http.Post)
{
if (request.IsAjaxRequest())
{
var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];
var cookieValue = antiForgeryCookie != null
? antiForgeryCookie.Value
: null;
//从cookies 和 Headers 中 验证防伪标记
//获取token
var token = request.Headers["__RequestVerificationToken"];
//验证token
AntiForgery.Validate(cookieValue, token);
}
else
{
new ValidateAntiForgeryTokenAttribute()
.OnAuthorization(filterContext);
}
}
}
catch
{
filterContext.Result = TActionResult.CreateResult("无法验证Token!");
}
}
}

二、视图

@Html.AntiForgeryToken()

三、HomeController

[TValidateAntiForgeryToken]
public string Test()
{
return "Token验证通过!";
}

四、Jquery使用Ajax发请求

1. 设置全局请求头header

$.ajaxSetup({
beforeSend: function (xhr) {
//可以设置自定义标头
xhr.setRequestHeader('__RequestVerificationToken', $("input[name=__RequestVerificationToken][type=hidden]").val());

}
})

2.ajax请求

$.post("/home/test",function(msg) {
alert(msg);
})

五、备注：

1.如果Action上设置缓存，那么视图将不会再次调用@Html.AntiForgeryToken()生成新的,ajax请求还是携带上一次生成的token