AntiForgeryToken()如何在MVC中工作,以及如何从AntiForgeryToken检索服务器操作方法中的值? [英] how AntiForgeryToken() works in MVC and how to retrieve value at server action method from AntiForgeryToken?
问题描述
我正在阅读有关AntiForgeryToken的内容,但不了解其实际用途或重要性.我看到人们以这样的形式写了一个代码
i was reading about AntiForgeryToken but do not understand the actual use or importance. i saw people wrote a code like in their form as
@using (Html.BeginForm("Create", "Register"))
{
@Html.AntiForgeryToken()
}
所以它的作用是....它将生成一个唯一的令牌,当表单发布时,此唯一的令牌将通过,并且cookie将以相同的唯一令牌值传递,并且两个唯一的数据将在服务器端进行比较两者是否相等.如果没有,则会发生一些篡改.
so what it does....it will generate a unique token and when form will post then this unique toke will pass and as well as a cookie will pass with same unique token value and two unique data will compare at server end that both are equal or not. if not then some tamper occur.
我只是不了解其他表单字段的值是否发生更改或篡改,那么如何确定该篡改.假设我们经常将有价值的数据存储在隐藏字段中.如果我需要确保该隐藏字段的价值,那么AntiForgeryToken可以如何帮助我们?
i just do not understand if other form field value change or tamper then how that tampering can be determine. suppose we often store valuable data inside hidden fields. if i need to secure that hidden fields value then how AntiForgeryToken can help us?
我们可以使用AntiForgeryToken封装其中的那些有价值的数据,然后在服务器端进行比较吗?
can we use AntiForgeryToken to wrap up those valuable data inside it and later compare at server end.
任何人都可以给我一些示例代码,通过该示例代码,我可以在页面中放入3个有价值的数据,如果遭到篡改,则会向用户显示友好的消息.指导我如何去做.谢谢
can anyone give me bit of sample code by which i can put 3 valuable data in my page and if tamper then a friendly message will be show to user. guide me how to do it. thanks
推荐答案
AntiForgeryToken背后的想法是防止从假"源发布数据.使用伪造(伪造)表单的攻击者可以诱骗用户使用其当前会话上下文提交任何类型的数据.您可以想象,这会造成很大的损害.
The idea behind the AntiForgeryToken is to prevent data being posted from a "fake" source. An attacker using a fake (forged) form can trick the user to submit any kind of data using their current session context. As you can imagine this can do quite a lot of damage.
防止这种情况的一种方法是在表单上具有一个隐藏字段,其中包含存储在会话中的用户特定数据(某些随机数据),以便坏人无法伪造它.在这种情况下,当用户发布数据但没有用户特定的令牌时,您可以将其视为恶意的.
A way to prevent this is to have a hidden field on your forms containing user specific data(something random) that is stored in the session, so that the bad guys can't forge it. In this case when a user posts the data, but doesn't have the user specific token, you can treat is as being malicious.
我认为您会误以为反伪造令牌是关于检测发布的数据是否经过强化"处理的.
I think you have a misconception that the anti forgery token is about detecting whether the data posted has been "tempered" with, which it is not.
