jQuery的Ajax调用和Html.AntiForgeryToken() [英] jQuery Ajax calls and the Html.AntiForgeryToken()
问题描述
我在我的应用程序已经实现了下面,我已阅读在互联网上周围的一些博客文章的信息的缓解为CSRF攻击。特别是,这些职位一直是我的实现驾驶员
- 最佳实践从ASP ASP.NET MVC 。 NET和Web工具开发内容团队
- 从菲尔一个跨站请求伪造攻击剖析哈克博客
- <一个href="http://davidhayden.com/blog/dave/archive/2009/04/29/AntiForgeryTokenInMVCFramework.aspx">AntiForgeryToken在ASP.NET MVC框架 - Html.AntiForgeryToken和ValidateAntiForgeryToken从大卫·海登博客属性
基本上,这些文章和建议说,为prevent的CSRF攻击任何人都应该实现以下code:
1)添加 [ValidateAntiForgeryToken]
上接受POST HTTP动词的每一个动作
[HttpPost]
[ValidateAntiForgeryToken]
公众的ActionResult SomeAction(SomeModel模型){
}
2)添加&LT;%= Html.AntiForgeryToken()%&GT;
助手里面的形式提交数据到服务器
&LT; DIV的风格=文本对齐:右;填充:8像素;&GT;
&其中;%= Html.AntiForgeryToken()%&GT;
&LT;输入类型=提交ID =btnSave值=保存/&GT;
&LT; / DIV&GT;
反正在我的应用程序,我从事的是Ajax的POST使用jQuery到服务器,而无需任何形式的所有某些部分。出现这种情况的例子,我是让用户单击图像上做了具体的行动。
假设我有一个表的活动一览表。我对表的列的图像,上面写着为完成标志活动,并在该活动我做了Ajax的POST如下面的示例中,用户点击:
$(a.markAsDone)。点击(函数(事件){
。事件preventDefault();
$阿贾克斯({
类型:后,
数据类型:HTML,
网址:$(本).attr(相对),
数据: {},
成功:函数(响应){
// ....
}
});
});
我如何使用&LT;%= Html.AntiForgeryToken()%&GT;
在这种情况下?我应该包括Ajax调用的数据参数内的助手呼吁?
很抱歉的长期职位,并非常感谢帮助了
修改
按<一个href="http://stackoverflow.com/questions/4074199/jquery-ajax-calls-and-the-html-antiforgerytoken/4074289#4074289">jayrdub答案我已经使用以下列方式
$(a.markAsDone)。点击(函数(事件){
。事件preventDefault();
$阿贾克斯({
类型:后,
数据类型:HTML,
网址:$(本).attr(相对),
数据: {
AddAntiForgeryToken({}),
ID形式:parseInt($(本).attr(标题))
},
成功:函数(响应){
// ....
}
});
});
我用这样一个简单的js函数
AddAntiForgeryToken =功能(数据){
数据.__ RequestVerificationToken = $('#__ AjaxAntiForgeryForm输入[名称= __ RequestVerificationToken])VAL()。
返回的数据;
};
由于页面上的每个形式将有令牌相同的值,只是把这样的事情在你最顶端的母版页
&LT;% - 用于阿贾克斯AddAntiForgeryToken() - %&GT;
&LT;形式ID =__ AjaxAntiForgeryForm行动=#的方法=后&GT;&LT;%= Html.AntiForgeryToken()%&GT;&LT; /形式GT;
然后在你的Ajax调用做(编辑以满足你的第二个例子)
$。阿贾克斯({
类型:后,
数据类型:HTML,
网址:$(本).attr(相对),
数据:AddAntiForgeryToken({ID形式:parseInt($(本).attr(标题))}),
成功:函数(响应){
// ....
}
});
I have implemented in my app the mitigation to CSRF attacks following the informations that I have read on some blog post around the internet. In particular these post have been the driver of my implementation
- Best Practices for ASP.NET MVC from the ASP.NET and Web Tools Developer Content Team
- Anatomy of a Cross-site Request Forgery Attack from Phil Haack blog
- AntiForgeryToken in the ASP.NET MVC Framework - Html.AntiForgeryToken and ValidateAntiForgeryToken Attribute from David Hayden blog
Basically those articles and recommendations says that to prevent the CSRF attack anybody should implement the following code:
1) Add the [ValidateAntiForgeryToken]
on every action that accept the POST Http verb
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult SomeAction( SomeModel model ) {
}
2) Add the <%= Html.AntiForgeryToken() %>
helper inside forms that submits data to the server
<div style="text-align:right; padding: 8px;">
<%= Html.AntiForgeryToken() %>
<input type="submit" id="btnSave" value="Save" />
</div>
Anyway in some parts of my app I am doing Ajax POSTs with jQuery to the server without having any form at all. This happens for example where I am letting the user to click on an image to do a specific action.
Suppose I have a table with a list of activities. I have an image on a column of the table that says "Mark activity as completed" and when the user click on that activity I am doing the Ajax POST as in the following sample:
$("a.markAsDone").click(function (event) {
event.preventDefault();
$.ajax({
type: "post",
dataType: "html",
url: $(this).attr("rel"),
data: {},
success: function (response) {
// ....
}
});
});
How can I use the <%= Html.AntiForgeryToken() %>
in these cases? Should I include the helper call inside the data parameter of the Ajax call?
Sorry for the long post and thanks very much for helping out
EDIT:
As per jayrdub answer I have used in the following way
$("a.markAsDone").click(function (event) {
event.preventDefault();
$.ajax({
type: "post",
dataType: "html",
url: $(this).attr("rel"),
data: {
AddAntiForgeryToken({}),
id: parseInt($(this).attr("title"))
},
success: function (response) {
// ....
}
});
});
I use a simple js function like this
AddAntiForgeryToken = function(data) {
data.__RequestVerificationToken = $('#__AjaxAntiForgeryForm input[name=__RequestVerificationToken]').val();
return data;
};
Since every form on a page will have the same value for the token, just put something like this in your top-most master page
<%-- used for ajax in AddAntiForgeryToken() --%>
<form id="__AjaxAntiForgeryForm" action="#" method="post"><%= Html.AntiForgeryToken()%></form>
Then in your ajax call do (edited to match your second example)
$.ajax({
type: "post",
dataType: "html",
url: $(this).attr("rel"),
data: AddAntiForgeryToken({ id: parseInt($(this).attr("title")) }),
success: function (response) {
// ....
}
});
这篇关于jQuery的Ajax调用和Html.AntiForgeryToken()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!