需要在MVC中使用AntiForgeryToken的一些指导原则 [英] Need some guide line for AntiForgeryToken use in MVC

问题描述

我是mvc的新手.所以我浏览了一些有关AntiForgeryToken使用的文章. AntiForgeryToken在页面中发出加密值，然后在表单发布时发出加密值& Cookie用于AntiForgeryToken到达服务器端，并比较两个值以检查两者是否相同.如果没有，则会引发错误.

i am new in mvc. so i go through few article about AntiForgeryToken usage. AntiForgeryToken emit a encrypted value in page and when form post then encrypted value & cookie for AntiForgeryToken goes to server end and there compare two value to check the both are same or not. if not then a error is thrown.

我对AntiForgeryToken没什么疑问

i have few question on AntiForgeryToken

1)比较在服务器端如何发生.我需要编写任何代码来比较值还是在动作方法具有[ValidateAntiForgeryToken()]之类的属性时自动完成?

1) how comparision occur at server end. do i need to write any code to compare value or it is done automatically when action method having attribute like [ValidateAntiForgeryToken()] ?

[ValidateAntiForgeryToken()] 公共ActionResult编辑(ProductDetails产品详细信息) {

[ValidateAntiForgeryToken()] public ActionResult Edit(ProductDetails productdetails) {

}

2)如果我喜欢在页面显示时对用户ID进行加密，那么可以编写类似@Html.AntiForgeryToken(m=> m.userid)的代码吗?如果有可能，那么表单将在何时发布，然后如何从服务器端获取用户ID值，因为用户ID将被加密.

2) if i like to encrypt user id when page display then can write the code like @Html.AntiForgeryToken(m=> m.userid) ? if it is possible then when form will post then how can get the user id value from server side because user id would be encrypted.

3)人们使用盐的概念是什么?如何用AntiForgeryToken()实施盐概念?

3) what is salt concept people use ? how to implement salt concept with AntiForgeryToken() ?

4)我可以将多个AntiForgeryToken()放在一种形式中以加密多个敏感数据吗?如果不可能的话，请告诉我原因.

4) can i put multiple AntiForgeryToken() in single form for encrypting multiple sensitive data ? if not possible then please tell me the reason.

5)我怎样才能使AntiForgeryToken()用密钥加密值....密钥将由我提供，并且每次都是动态的?

5) how can i make AntiForgeryToken() encrypt value against a key....the key will be supplied by me and every time it will be dynamic ?

请明智地给出答案.谢谢

please give answer point wise. thanks

关于动态盐

要生成随机字符串，请使用RNGCryptoServiceProvider.

To generate a random string, use the RNGCryptoServiceProvider.

public string GenerateSalt(int length)
{
    var rng = new RNGCryptoServiceProvider();
    var buffer = new byte[length];
    rng.GetBytes(buffer);
    return Convert.ToBase64String(buffer);
}

如果我调用GenerateSalt()，它将始终提供动态组合.

if i call GenerateSalt() then it will always give a dynamic combinatio. that it.

推荐答案

1. 自动完成.这就是[validateAntiForgeryToken]属性(过滤器)的作用.
2. 这不在令牌的范围内；它只是为了防止垃圾邮件和某些形式的黑客入侵，而不是加密数据.如果需要考虑安全性，可以考虑创建自己的Data Annotation属性以及DisplayTemplate/EditorTemplate(然后再使用一个自定义过滤器来预处理传入值).
3. 盐就像任何形式的加密一样；这样做会使欺骗传入值变得更加困难.通过使用盐，您向哈希添加了另一级别的复杂性，因此解密现在需要该值.
4. 同样，它不是用来加密 数据的，只是为了保护表格误用.
5. 不确定您的意思-动态盐吗?您可能可以创建一个自定义实现(ValidateMyAntiForgeryToken : ValidateAntiForgeryToken).

1. Done automatically. That's what [validateAntiForgeryToken] attribute (filter) does.
2. That's not within the scope of the token; it's there just to prevent spam and some forms of hacking, not to encrypt data. if security is a concern, think of creating your own Data Annotation attribute coupled with a DisplayTemplate/EditorTemplate (then also a custom filter to pre-process the incoming value).
3. Salt is like any form of encryption; it's there to make it more difficult to spoof incoming values. By using a salt you're adding another level of complication to the hash so decrypting now requires that value.
4. Again, it's not there to encrypt your data, just to secure the form form misuse.
5. Not sure what you mean--a dynamic salt? You can probably create a custom implementation (ValidateMyAntiForgeryToken : ValidateAntiForgeryToken).

这篇关于需要在MVC中使用AntiForgeryToken的一些指导原则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！