如何在ASP.NET中保护AJAX请求? [英] How to secure AJAX request in ASP.NET?
问题描述
我正在开发一个应用程序,我在其中显示网格中的产品。在网格中有一列有禁用/启用图标,点击该图标我通过AJAX向我的页面 manageProduct.aspx 发出启用/禁用请求那个特定的产品。
I am developing an application in which I am displaying products in a grid. In the grid there is a column which have a disable/enable icon and on click of that icon I am firing a request through AJAX to my page manageProduct.aspx for enabling/disabling that particular product.
在我的ajax请求中,我将productID作为参数传递,因此最终的ajax查询为
In my ajax request I am passing productID as parameter, so the final ajax query is as
http://example.com/manageProduct.aspx?id=234
现在,如果有人(专业黑客或网络开发人员)可以获取此URL(很容易从我的javascript文件中获取),那么他可以制作一个将作为循环运行的脚本并禁用我的所有产品。
Now, if someone (professional hacker or web developer) can get this URL (which is easy to get from my javascript files), then he can make a script which will run as a loop and will disable all my products.
所以,我想知道是否存在任何机制,技术或方法,如果有人试图直接执行该页面,它将返回错误(a正确的消息你没有被授权或其他东西)否则如果页面是从所需的页面执行的,就像我在显示产品列表的地方那样,那么它将正确地执行。
So, I want to know that is there any mechanism, technique or method using which if someone tries to execute that page directly then, it will return an error (a proper message "You're not authorized or something") else if the page is executed from the desired page, like where I am displaying product list, then it will ecxecute properly.
基本上我想保护我的AJAX请求,所以没有人可以直接执行它们。
Basically I wnat to secure my AJAX requests, so taht no one can directly execute them.
在PHP中:
在php中,我的同事通过检查页面的refrer来保护这个PHP页面。如下所示:
In php my colleague secure this PHP pages by checking the refrer of the page. as below:
$back_link = $_SERVER['HTTP_REFERER'];
if ($back_link =='')
{
echo 'You are not authorized to execute this page';
}
else
{
//coding
}
请告诉我如何在ASP.NET(C#)中使用相同或任何其他不同但安全的技术,我在我的应用程序中使用jQUERY来发出ajax请求。
Please tell me how to the same or any other different but secure techique in ASP.NET (C#), I am using jQUERY in my app for making ajax requests.
谢谢
推荐答案
忘记使用referer - 伪造是微不足道的。无法可靠地判断请求是直接发出还是作为对其他内容的响应。
Forget about using the referer - it is trivial to forge. There is no way to reliably tell if a request is being made directly or as a response to something else.
如果您想阻止未经授权的人员对其他人产生影响。系统通过请求URL,然后您需要更智能的东西来确定他们的授权级别(可能是使用HTTP Basic Auth或Cookies实现的密码系统)。
If you want to stop unauthorised people from having an effect on the system by requesting a URL, then you need something smarter then that to determine their authorisation level (probably a password system implemented with HTTP Basic Auth or Cookies).
这篇关于如何在ASP.NET中保护AJAX请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
