asp.net-mvc @Html.AntiForgeryToken() 有什么用?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/44783702/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is the use of @Html.AntiForgeryToken()?
提问by Mhd
Why we need to use @Html.AntiForgeryToken()?
I searched but I didn't get satisfactory answer.
为什么我们需要使用@Html.AntiForgeryToken()?我搜索了但没有得到满意的答案。
回答by Dynamikus
This is a security feature to help protect your application against cross-site request forgery.
这是一项安全功能,可帮助保护您的应用程序免受跨站点请求伪造。
Example:
例子:
Let's assume you have a register functionality in your web app. You have an AccountController(somename.com/account/register) where you expect people to submit their info. Normally before someone posts the registration information needs to visit the actual (somename.com/account/register) than submit the form.
假设您的 Web 应用程序中有注册功能。您有一个 AccountController( somename.com/account/register),您希望人们在其中提交他们的信息。通常在有人发布注册信息之前需要访问实际(somename.com/account/register)而不是提交表格。
Let say I am a bad guy and I want to flood your server with junk info all I need to do is just keep posting directly to (somename.com/account/register) without visiting your site. So in order to stop me you implement AntiForgeryToken so you can make it sure I visited the page before I submitted the registration information.
假设我是一个坏人,我想用垃圾信息淹没你的服务器,我需要做的就是直接在 ( somename.com/account/register) 上发帖而不访问你的网站。因此,为了阻止我,您实施了 AntiForgeryToken,以便确保我在提交注册信息之前访问了该页面。
Another example is http://www.binaryintellect.net/articles/20e546b4-3ae9-416b-878e-5b12434fe7a6.aspx.
另一个例子是http://www.binaryintellect.net/articles/20e546b4-3ae9-416b-878e-5b12434fe7a6.aspx。
回答by Jordi Corbilla
This is to prevent Cross-site request forgeryin your MVC application. This is part of the OWASP Top 10and it is vital in terms of web security. Using the @Html.AntiforgeryToken()method will generate a token per every request so then no one can forge a form post.
这是为了防止MVC 应用程序中的跨站点请求伪造。这是OWASP Top 10 的一部分,它在 Web 安全方面至关重要。使用该@Html.AntiforgeryToken()方法将为每个请求生成一个令牌,因此没有人可以伪造表单帖子。
回答by Arun Kumar Tiwari
What is the use of @Html.AntiForgeryToken()?
有什么用@Html.AntiForgeryToken()?
Live - Scenario :
现场 - 场景:
Suppose, you are logged into your bank account and are going to transfer some money to your friend. A hacker knows that you are logged in and also knows the URL of the money transfer submission. Suddenly, you get an email and check it. You see an image and by mistake, you click on that. Then, after a minute or so, you get another message that some amount has been deducted from your account. Actually, that image had been sent by the hacker and behind that image a URL has been submitted on your click.
假设您登录了您的银行帐户,并准备向您的朋友转账一些钱。黑客知道您已登录,也知道汇款提交的 URL。突然,你收到一封电子邮件并查看它。您看到一个图像,但错误地单击了该图像。然后,大约一分钟后,您会收到另一条消息,说明已从您的帐户中扣除了一些金额。实际上,该图片是由黑客发送的,并且在该图片的后面,您点击时已提交了一个 URL。
So that we use AntiForgeryToken()in application prevent from hackers.
以便我们AntiForgeryToken()在应用程序中使用防止黑客。
