C# __RequestVerificationToken 有什么用?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14051456/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What's the use of the __RequestVerificationToken?
提问by Hugo Delsing
We have a .NET C# MVC application with some forms in it which works fine. Now we also have an ASP Classic vbscript page that needed to interact with these forms, but using a regular post we got an error saying the __RequestVerificationToken wasn't set.
我们有一个 .NET C# MVC 应用程序,其中包含一些可以正常工作的表单。现在我们还有一个需要与这些表单交互的 ASP Classic vbscript 页面,但是使用常规帖子我们得到一个错误,指出未设置 __RequestVerificationToken。
So we request the page and then store the token from the hidden input and the cookie in a variable and send it a long with the POST request. And it works.
因此,我们请求页面,然后将隐藏输入中的令牌和 cookie 存储在一个变量中,并与 POST 请求一起发送一个 long。它有效。
But seeing its so simple to bypass it, whats the use of it anyway? It offers hardly any protection.
但是看到绕过它这么简单,它还有什么用呢?它几乎不提供任何保护。
采纳答案by tschmit007
this is an anti forgery token (prevent CSRF attack). It guarantees that the poster is the one who gets the form.
这是一个防伪令牌(防止 CSRF 攻击)。它保证海报是获得表格的人。
It prevents from anybody to forge a link and have it activated by a powered user.
它可以防止任何人伪造链接并由高级用户激活。
