我需要在ASP.NET webform中实现跨站点请求伪造(CSRF)保护 [英] I need to implement cross site request forgery (CSRF) protection in ASP.NET webform
本文介绍了我需要在ASP.NET webform中实现跨站点请求伪造(CSRF)保护的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我需要在asp.net网络表单中实施CSRF,以防止不必要的跨网站请求。
在主题行添加保护一词防止恶意编码器踢,并添加代码块到你有什么尝试部分 - OriginalGriff [/ edit]
我尝试过:
我尝试过以下代码来实现CSRF,但它对我不起作用。
I need to implement CSRF in asp.net web forms to prevent unwanted cross site request.
[edit]Added the word "Protection" to subject line to prevent "malicious coder" kicking, and added code block to "What have you tried" section - OriginalGriff[/edit]
What I have tried:
I have tried below code to implement CSRF but it did not work for me.
public class CSRFBASE : System.Web.UI.Page
{
private const string AntiXsrfTokenKey = "__AntiXsrfToken";
private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
private string _antiXsrfTokenValue;
protected void Page_Init(object sender, EventArgs e)
{
// The code below helps to protect against XSRF attacks
var requestCookie = Request.Cookies[AntiXsrfTokenKey];
Guid requestCookieGuidValue;
if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
{
// Use the Anti-XSRF token from the cookie
_antiXsrfTokenValue = requestCookie.Value;
Page.ViewStateUserKey = _antiXsrfTokenValue;
}
else
{
// Generate a new Anti-XSRF token and save to the cookie
_antiXsrfTokenValue = Guid.NewGuid().ToString("N");
Page.ViewStateUserKey = _antiXsrfTokenValue;
var responseCookie = new HttpCookie(AntiXsrfTokenKey)
{
HttpOnly = true,
Value = _antiXsrfTokenValue
};
if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
{
responseCookie.Secure = true;
}
Response.Cookies.Set(responseCookie);
}
Page.PreLoad += master_Page_PreLoad;
}
protected void master_Page_PreLoad(object sender, EventArgs e)
{
if (!IsPostBack)
{
// Set Anti-XSRF token
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;
}
else
{
// Validate the Anti-XSRF token
if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
|| (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
{
throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
}
}
}
}
推荐答案
使用ASP防止跨站请求伪造(CSRF) .NET MVC的AntiForgeryToken()助手 [ ^ ]
防止ASP.NET Web API中的跨站点请求伪造(CSRF)攻击Microsoft Docs [ ^ ]
在ASP.NET Core中防止跨站点请求伪造(XSRF / CSRF)攻击Microsoft Docs [ ^ ]
[ ^ ]
Cross-Site Request Forgery(CSRF)预防备忘单 - OWASP [ ^ ]
webforms - 在asp.net web中防止跨站点请求伪造(csrf)攻击表格 - 堆栈溢出 [ ^ ]
Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper[^]
Preventing Cross-Site Request Forgery (CSRF) Attacks in ASP.NET Web API | Microsoft Docs[^]
Preventing Cross-Site Request Forgery (XSRF/CSRF) Attacks in ASP.NET Core | Microsoft Docs[^]
[^]
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - OWASP[^]
webforms - preventing cross-site request forgery (csrf) attacks in asp.net web forms - Stack Overflow[^]
这篇关于我需要在ASP.NET webform中实现跨站点请求伪造(CSRF)保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文