任何理由不相信ASP.NET AntiForgeryToken? [英] Any reason not to trust ASP.NET AntiForgeryToken?
问题描述
我知道堆栈Exchange站点不使用ASP.NET MVC内置的 @ Html.AntiForgeryToken()为XSRF / CSRF攻击的prevention 。而不是创建一个名为隐藏输入的 __ RequestVerificationToken 与很长的基础上,web.config中的部分的machineKey值,堆栈交换方法创建一个名为 FKEY 与 MUCH 的更简洁的输入值。这显然是一个GUID,并根据从堆栈交换数据资源管理器项目在谷歌$证据C $ç,这个值被绑定到每个用户,直到你登录或注销剩余的相当稳定。
I know that Stack Exchange sites do not use the ASP.NET MVC built-in @Html.AntiForgeryToken() for the prevention of XSRF/CSRF attacks. Instead of creating a hidden input named __RequestVerificationToken with a really long value based on the machineKey section of the web.config, the Stack Exchange method creates an input named fkey with a MUCH more succinct value. This is apparently a Guid, and based on evidence from the Stack Exchange Data Explorer project on Google Code, this value is tied to each individual user, remaining fairly constant until you log in or out.
此外,堆叠交换价值是在页面上不变,并提供给客户端脚本,让阿贾克斯帖子投票之类的东西也使用该令牌。相比之下
Also, the Stack Exchange value is constant on a page, and is made available to client script, so that Ajax posts for voting and things like that also use the token. By contrast
那么,为什么堆栈所3月到自己的鼓手?
So why does Stack Exchange march to its own drummer?
- 有没有理由不相信AntiForgeryToken?
- 是否AntiForgeryToken有一定的局限性堆栈Exchange团队不愿意接受?如果是干什么的?
- 或者,也许只是AntiForgeryToken不在身边(它开始在MVC期货项目的生命),当堆栈溢出开始,如果他们有它从头今天这样对他们会用AntiForgeryToken?
我一直无法找到任何杰夫的博客文章或其他人在堆栈Exchange团队解释背后的指导原则如何SE网络上的XSRF- prevention政策。这将是非常好的,如果他们中的一个可以做一个写了,假设,当然,它可以笼统地完成,而无需创建一个漏洞。这将是对我们这些希望使我们的网站安全,但不完全满意只是一味地相信微软为我们做真正有价值的信息。
I've been unable to find any blog posts from Jeff or others on the Stack Exchange team to explain the guiding principles behind how the XSRF-prevention policy on the SE network. It would be really nice if one of them could do a write-up, assuming of course that it could be done in general terms without creating a vulnerability. It would be really valuable information for those of us that want to make our websites secure, but aren't entirely comfortable just blindly trusting Microsoft to do it for us.
推荐答案
我们遇到了与默认实现的一个限制是缺乏对AJAX调用外的现成支持。隐藏字段方法适用于主要处理传统形式权限的网站;但是,不完全对AJAX富集的站点,像这样。
The one limitation we ran into with the default implementation was the lack of out-of-the-box support for AJAX calls. The hidden field approach works for sites that primarily deal with traditional form POSTs; but, not quite for AJAX heavy sites like SO.
我们实现这个
We implemented the approach outlined in this CodeThinked blog post and we couldn't be happier. It looks like Phil Haack also supports this approach, based on his oct 2011 blog post
的(不请自来,我知道!)指针情侣:
Couple of (unsolicited, I know!) pointers:
- 如果你正在运行一个Web的农场,你当然应该使用静态的machineKey在你的web.config
- 确保所有服务器有的安装此KB。否则,你可能会碰到的machineKey验证问题
- if you are running a web-farm, you should, of course use a static machinekey in your Web.config
- Make sure all your servers have this KB installed. Otherwise, you may run into machinekey validation issues
这篇关于任何理由不相信ASP.NET AntiForgeryToken?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
