在ASP.NET MVC中,没有AntiForgeryToken的删除操作方法是否不安全?
[英]Is Delete Action Method without AntiForgeryToken unsafe in ASP.NET MVC?
问题描述
I have a grid in one of my views and created an Actions column in it. 
我的一个视图中有一个网格,并在其中创建了一个“动作”列。 In that column are buttons for editing and deleting. 在该列中是用于编辑和删除的按钮。 When the user clicks the delete button I use jQuery to access its click event. 当用户单击删除按钮时,我使用jQuery访问其click事件。
Here is what my ajax delete looks like: 这是我的ajax删除的样子:
$(document).on('click', '.btnDeleteRole', function (e) {
e.preventDefault();
if (confirm("Are you sure you want to delete this record?")) {
var $this = $(this); //store $(this) to a variable
var roleId = $this.attr('data-role-Id');
$.ajax({
type: "POST",
url: "/admin/roles/delete",
data: { id: roleId },
dataType: "html",
success: function (data) {
// rebind kendo grid
}
});
}
});
Here is what my delete action method looks like: 这是我的删除操作方法的样子:
// POST: Roles/Delete/5
[Route("roles/delete")]
[HttpPost]
public async Task<IActionResult> RoleDelete(string id)
{
IdentityRole role = await _roleManager.FindByIdAsync(id);
await _roleManager.DeleteAsync(role);
return RedirectToAction("RoleIndex");
}
Since the delete button isn't part of a form I can't have an AntiForgeryToken annotation above my ActionMethod.. 由于删除按钮不是表单的一部分,因此我无法在ActionMethod上方添加AntiForgeryToken注释。
Is deleting items like this safe? 这样删除项目安全吗?
1 个解决方案
解决方案1
4 已采纳 2016-04-17 21:20:14
No, it isn't safe. 不,这不安全。 If you don't use antiforgerytoken you are exposed to CSRF attacks, as described here . 如果你不使用你antiforgerytoken暴露于CSRF攻击,如所描述这里 。
You just need to send the main form hidden token in your grid delete posts. 您只需要在网格删除帖子中发送主表单隐藏令牌即可。 You don't need one token per row, as you have the form's hidden token and the cookie's token which is all you need. 每行不需要一个令牌,因为您拥有表单所需的隐藏令牌和cookie令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.