asp.net-mvc “[ValidateAntiForgeryToken]”的真正含义是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18722234/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What does '[ValidateAntiForgeryToken]' truly mean?
提问by LifeScript
First of all I'm still a starter in MVC4, after noticing many actions are decorated with [ValidateAntiForgeryToken], I googled that, but still kind of confused.
首先,我仍然是 MVC4 的初学者,在注意到许多动作都装饰有 之后[ValidateAntiForgeryToken],我在 google 上搜索了它,但仍然有点困惑。
Can anybody explain that concept using a simplest example?
谁能用一个最简单的例子来解释这个概念?
回答by Andriy Gubal
In simple words it prevents external post requests. So, nobody can use your methods from other sites.
简而言之,它可以防止外部发布请求。因此,没有人可以从其他站点使用您的方法。
How it works. You are having AntiForgeryTokenin your Html.BeginFormin View.
这个怎么运作。你AntiForgeryToken在你Html.BeginForm的视图中。
@using (Html.BeginForm()){
@Html.AntiForgeryToken()
//** fields of form
}
When you submit form, you sends data to your Controller method. If method has ValidateAntiForgeryTokenattribute, it validates if data you are sending has your ForgeryToken.
当您提交表单时,您将数据发送到您的 Controller 方法。如果方法具有ValidateAntiForgeryToken属性,它会验证您发送的数据是否具有您的 ForgeryToken。
[ValidateAntiForgeryToken]
public ViewResult Update()
{
}
ForgeryToken is generated once per session.
ForgeryToken 每个会话生成一次。
回答by Bhushan Firake
Lots of info on the AntiForgeryToken here: http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
这里有很多关于 AntiForgeryToken 的信息:http: //blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
This is to prevent a Cross-Site Request Forgery (CSRF). It's pretty standard behavior to click 'Save' sumbit a form and perform some action on the server, i.e. save a user's details. How do you know the user submitting the form is the user they claim to be? In most cases you'd use some cookie or windows based auth.
这是为了防止跨站点请求伪造 (CSRF)。单击“保存”提交表单并在服务器上执行某些操作,即保存用户的详细信息,这是非常标准的行为。你怎么知道提交表单的用户是他们声称的用户?在大多数情况下,您会使用一些基于 cookie 或 Windows 的身份验证。
What if an attacker lures you to a site which submits exactly the same form in a little hidden IFRAME? Your cookies get submitted intact and the server doesn't see the request as any different to a legit request. (As gmail has discovered: http://www.gnucitizen.org/blog/google-gmail-e-mail-hiHyman-technique/)
如果攻击者引诱您访问一个站点,该站点在一个隐藏的 IFRAME 中提交完全相同的表单,该怎么办?您的 cookie 被完整提交,服务器不会将请求视为与合法请求有任何不同。(正如 gmail 发现的那样:http: //www.gnucitizen.org/blog/google-gmail-e-mail-hiHyman-technique/)
The anti-forgery token prevents this form of attack by creating a additional cookie token everytime a page is generated. The token is both in the form and the cookie, if the form and cookie don't match we have a CSRF attack (as the attacker wouldn't be able to read the anti-forgery token using the attack described above).
防伪令牌通过在每次生成页面时创建额外的 cookie 令牌来防止这种形式的攻击。令牌同时存在于表单和 cookie 中,如果表单和 cookie 不匹配,我们就会发起 CSRF 攻击(因为攻击者无法使用上述攻击读取防伪令牌)。
And what does the salt do, from the article above:
盐有什么作用,来自上面的文章:
Salt is just an arbitrary string. A different salt value means a different anti-forgery token will be generated. This means that even if an attacker manages to get hold of a valid token somehow, they can't reuse it in other parts of the application where a different salt value is required.
Salt 只是一个任意字符串。不同的盐值意味着将生成不同的防伪令牌。这意味着即使攻击者设法以某种方式获得有效令牌,他们也无法在需要不同盐值的应用程序的其他部分中重用它。
How is the token generated? Download the source, and have a look at the AntiForgeryDataSerializer, AntiForgeryData classes.This has a duplicate.
令牌是如何生成的?下载源代码,并查看 AntiForgeryDataSerializer、AntiForgeryData 类。这有一个重复。
