AntiForgery.GetTokens:oldCookieToken参数的用途是什么? [英] AntiForgery.GetTokens: what is the purpose of the oldCookieToken parameter?
问题描述
我们正在用Objective-C编写一个iOS移动应用程序,该应用程序将帖子发布到我们的ASP.NET MVC服务器应用程序中.在iPhone上,HTTP堆栈(和cookie等)似乎已与Safari共享.这使我们容易受到XSRF攻击,因此,除非我没有弄错,否则我们需要使用防伪令牌保护POST,并使用ValidateAntiForgeryTokenAttribute保护我们的控制器方法.
We're writing an iOS mobile app in objective-c that makes posts to our ASP.NET MVC server app. On iPhone, the HTTP stack (and cookies etc) appear to be shared with Safari. This leaves us open to XSRF attacks, so unless I'm mistaken we need to protect the POSTs with anti-forgery tokens and protect our controller methods with ValidateAntiForgeryTokenAttribute.
我将通过不正确理解生成和验证反伪造令牌的机制来解决这个问题,特别是在这种情况下使用的"nonce"一词有些神秘.
I'll qualify this question by saying that I don't properly understand the mechanism by which the antiforgery tokens are generated and verified... in particular, the term 'nonce' used in this context is somewhat mystical.
因为我们没有将HTML交付给客户端,所以我们不能使用标准的@Html.AntiForgeryToken(),因此必须使用
Because we're not delivering HTML to the client, we can't use the standard @Html.AntiForgeryToken(), so instead we have to use AntiForgery.GetTokens to acquire and distribute the tokens to our clients. This has a mysterious first parameter: oldCookieToken. At the moment, I just set it to null and everything seems to work fine. So can anyone tell me... what is the use of supplying the old token to the token generating algorithm? If only a single token is issued to our iOS app and reused for multiple posts, is this going to be problematic?
推荐答案
AntiForgery.GetTokens将尝试重用旧的cookie令牌以进行验证.因此,如果您已经具有要重用的验证令牌,它将尝试使用它而不是生成一个新的令牌.如果旧令牌无效,它将生成一个新令牌并使用它.
AntiForgery.GetTokens will try to reuse the old cookie token for validation purposes. So if you already have a validation token you want to reuse, it will attempt to use it instead of generating a new one. If the old token is invalid, it will generate a new one and use it instead.
因此将null传递给oldCookieToken是有效的.它只是告诉GetTokens始终生成一个新的cookie令牌.
So passing null to oldCookieToken is valid. It simply tells GetTokens to always generate a new cookie token.
这篇关于AntiForgery.GetTokens:oldCookieToken参数的用途是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
