本文共 3433 字，大约阅读时间需要 11 分钟。

1.前言

ASP.NET MVC 应用通过使用AJAX请求来提升用户体验。AJAX请求不会刷新整个页面,用户几乎感知不到请求的发送和处理过程,正是这样,AJAX请求的安全性就十分重要了,如果有人伪造了请求,就很容易对应用进行攻击,从而泄露核心数据,导致安全问题。

2.解决方案

如何确保AJAX请求没有被伪造呢？解决办法就是在AJAX请求发起时传递给后台一个字符串，然后在Filter中进行校验。

3.例子

1）Model

namespace AntiForgeryTokenDemo.Models{    public class Person    {        private string name;        public string Name        {            get { return name; }            set { name = value; }        }        private string age;        public string Age        {            get { return age; }            set { age = value; }        }    }}

@model AntiForgeryTokenDemo.Models.Person@{    ViewBag.Title = "Home Page";}
Index
   
    
    
        
     
Persen
        
     
        @Html.ValidationSummary(true, "", new { @class = "text-danger" })        
     
                  @Html.LabelFor(model => model.Name, htmlAttributes: new { @class = "control-label col-md-2" })            
      
                       @Html.EditorFor(model => model.Name, new { htmlAttributes = new { @class = "form-control" } })                @Html.ValidationMessageFor(model => model.Name, "", new { @class = "text-danger" })            
      
        
     
        
     
                  @Html.LabelFor(model => model.Age, htmlAttributes: new { @class = "control-label col-md-2" })            
      
                       @Html.EditorFor(model => model.Age, new { htmlAttributes = new { @class = "form-control" } })                @Html.ValidationMessageFor(model => model.Age, "", new { @class = "text-danger" })            
      
        
     
        
     
            
      
                
                   
      
        
     
    
    
   

public class HomeController : Controller{        public ActionResult Index()        {            return View();        }        [HttpPost]        [MyValidateAntiForgeryToken]        public ActionResult Index(Person p)        {            return Json(true, JsonRequestBehavior.AllowGet);        }        public ActionResult About()        {            ViewBag.Message = "Your application description page.";            return View();        }        public ActionResult Contact()        {            ViewBag.Message = "Your contact page.";            return View();        }}

using System;using System.Collections.Generic;using System.Linq;using System.Net;using System.Web;using System.Web.Helpers;using System.Web.Mvc;namespace AntiForgeryTokenDemo.Filters{    public class MyValidateAntiForgeryToken : AuthorizeAttribute    {        public override void OnAuthorization(AuthorizationContext filterContext)        {            var request = filterContext.HttpContext.Request;            if (request.HttpMethod == WebRequestMethods.Http.Post)            {                if (request.IsAjaxRequest())                {                    var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];                    var cookieValue = antiForgeryCookie != null                        ? antiForgeryCookie.Value                        : null;                    //从cookies 和 Headers 中 验证防伪标记                    //这里可以加try-catch                    AntiForgery.Validate(cookieValue, request.Headers["__RequestVerificationToken"]);                }                else                {                    new ValidateAntiForgeryTokenAttribute()                        .OnAuthorization(filterContext);                }            }        }    }}