CSRF保护AJAX请求使用MVC2 [英] CSRF Protection in AJAX Requests using MVC2
问题描述
我建立的页面严重依赖AJAX。基本上,只有一个页和每一个数据传输是通过AJAX来处理。由于在浏览器端缓存过于乐观导致了奇怪的问题(数据未重新加载),我必须使用POST来执行所有请求(也读) - 强制重载
The page I'm building depends heavily on AJAX. Basically, there is just one "page" and every data transfer is handled via AJAX. Since overoptimistic caching on the browser side leads to strange problems (data not reloaded), I have to perform all requests (also reads) using POST - that forces a reload.
现在我想prevent对CSRF的页面。表单提交,使用 Html.AntiForgeryToken()作品整齐,但在AJAX请求,我想我必须手动添加标记?有什么出了的盒可用?
Now I want to prevent the page against CSRF. With form submission, using Html.AntiForgeryToken() works neatly, but in AJAX-request, I guess I will have to append the token manually? Is there anything out-of-the box available?
我当前的尝试看起来像这样的:
我很想重用现有的魔力。然而, HtmlHelper.GetAntiForgeryTokenAndSetCookie 是私人的,我不想砍周围MVC。另一种选择是写像
I'd love to reuse the existing magic. However, HtmlHelper.GetAntiForgeryTokenAndSetCookie is private and I don't want to hack around in MVC. The other option is to write an extension like
public static string PlainAntiForgeryToken(this HtmlHelper helper)
{
// extract the actual field value from the hidden input
return helper.AntiForgeryToken().DoSomeHackyStringActions();
}
这是有点哈克并保留更大的问题没有解决:如何验证令牌?默认验证实现是反对使用表单域的内部和硬codeD。我试着写一个稍微修改 ValidateAntiForgeryTokenAttribute ,但它使用了 AntiForgeryDataSerializer 这是私人的,我真的不想复制这一点。
which is somewhat hacky and leaves the bigger problem unsolved: How to verify that token? The default verification implementation is internal and hard-coded against using form fields. I tried to write a slightly modified ValidateAntiForgeryTokenAttribute, but it uses an AntiForgeryDataSerializer which is private and I really didn't want to copy that, too.
在这一点上似乎更容易想出一个自主开发的解决方案,但是这确实是重复的code。
At this point it seems to be easier to come up with a homegrown solution, but that is really duplicate code.
任何建议如何做到这一点聪明的办法?我失去了一些东西完全明显?
Any suggestions how to do this the smart way? Am I missing something completely obvious?
推荐答案
您可以使用常规的 Html.AntiForgeryToken()助手生成一个隐藏字段的地方在页面上(不一定是表单内),并包括沿Ajax请求:
You could use the conventional Html.AntiForgeryToken() helper to generate a hidden field somewhere on the page (not necessarily inside a form) and include it along the ajax request:
var token = $('input[name=__RequestVerificationToken]').val();
$.post(
'/SomeAction', { '__RequestVerificationToken': token },
function() {
alert('Account Deleted.');
}
);
要在服务器端进行验证:
To verify it on the server side:
[AcceptVerbs(HttpVerbs.Post)]
[ValidateAntiForgeryToken]
public ActionResult SomeAction()
{
return View();
}
如果你有你的页面上的多个标记,你可能需要指定要包括的之一。由于现有的辅助生成隐藏字段具有相同名称是很难做出很好的选择,所以你可以把他们里面涵盖:
If you have multiple tokens on your page you might need to specify which one to include. As the existing helper generates the hidden fields with the same names it is difficult to make a good selector so you could place them inside spans:
<span id="t1"><%= Html.AntiForgeryToken() %></span>
<span id="t2"><%= Html.AntiForgeryToken() %></span>
,然后选择相应的记号:
and then select the corresponding token:
var token = $('#t1 input[name=__RequestVerificationToken]').val();
这篇关于CSRF保护AJAX请求使用MVC2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
