CSRF(Cross-site request forgery)跨站请求伪造,ASP.NET MVC 应用通过使用AJAX请求来提升用户体验,浏览器开发者工具可以一览众山小,就很容易伪造了请求对应用进行攻击,从而泄露核心数据,导致安全问题。微软自带AntiForgeryToken可以解决,而且语法简单(AJAX请求发起时传递给后台一个字符串,然后在Filter中进行校验)
2.场景如下
为了验证一个来自form post请求,还需要在目标action上增加自定义[AntiForgeryToken]特性,下面会介绍到这个自定义特性用法
/// <summary> /// 首页 /// </summary> public class HomeController : Controller { /// <summary> /// 用户登录了111111 /// </summary> /// <returns></returns> public ActionResult Index() { return View(); } /// <summary> /// Your application description page. /// </summary> /// <returns></returns> public ActionResult About() { ViewBag.Message = "Your application description page."; return View(); } /// <summary> /// Your contact page. /// </summary> /// <param>姓名</param> /// <returns></returns> public ActionResult Contact(string name) { ViewBag.Message = "Your contact page."; return View(); } /// <summary> /// /// </summary> /// <returns></returns> public ActionResult Person() { return View(); } /// <summary> /// /// </summary> /// <param></param> /// <param></param> /// <returns></returns> [HttpPost] [AntiForgeryToken] public ActionResult UserInfo(string Name,string Age) { return Json(Name + Age); } }