堆栈内存溢出
  简体   繁体   English

使用CCW的ASP.NET MVC3 AntiForgery令牌

[英]Using ASP.NET MVC3 AntiForgery token from CCW

 原文  2012-10-15 17:18:43       c#/ asp.net/ asp.net-mvc/ asp.net-mvc-3/ c#-4.0

问题描述

I have some legacy application that are currently posting basic information to a MVC3 form. 我有一些遗留应用程序,目前正在向MVC3表单发布基本信息。 I would like to seperate that out to a GET and pass the values in the querystring. 我想将其分离为GET并传递查询字符串中的值。 Easy enough. 很容易。 However, I would like to add an anti-forgery token to the request. 但是,我想在请求中添加一个防伪标记。 First of all, does this seem like a good option? 首先,这看起来是一个不错的选择吗? Second, are there any examples of implementing such functionality from a non-MVC3 module to an MVC3 form? 其次,是否有从非MVC3模块到MVC3表单实现此类功能的任何示例?

My other alternative would be to encrypt the querystring. 我的另一种选择是加密查询字符串。

2 个解决方案

解决方案1
 1 已采纳  2012-10-15 17:33:04

The Anti-Forgery Token as implemented by ASP.NET is meant as a mechanism to prevent CSRF (that corss-site-request-forgery) and does only work with HTTP POST . ASP.NET实现的Anti-Forgery Token是一种防止CSRF(corss-site-request-forgery)并且只能用于HTTP POST

Since you are implementing a GET based "API" this Token won't work (BEWARE of limits for example on the length of a querystring). 由于您正在实现基于GET的“API”,因此该令牌将不起作用(请注意限制,例如查询字符串的长度)。

I am not sure what exactly your goal is... Depending on your goal the solution is encrypting or signing the querystring or both. 我不确定你的目标是什么......根据你的目标,解决方案是加密或签署查询字符串或两者。

解决方案2
 1  2012-10-15 17:33:15

You can every post you want to this mvc3 action. 您可以在每个帖子中使用此mvc3操作。 You only have to make sure your postdata matches the serverside object. 您只需要确保您的postdata与serverside对象匹配。 And Yes you have to use an antiforgery token for safety. 是的,你必须使用防伪标记来确保安全。

in javascript you can make for example a post like this with jQuery. 在javascript中你可以使用jQuery制作一个这样的帖子。 As you can see I don't use the form, but just some javascript code. 正如您所看到的,我不使用表单,只是一些javascript代码。 Mvc can perfectly handle this. Mvc可以完美地处理这个问题。 

$.ajax({
    type: 'POST',
    url: urlToYourMvcAction,
    data: {
        name: 'John Doe',
        age: 25
    }, 
    success: successCalback,
    error: errorCallback);

public class Person
{
    public int Id { get; set; }
    public string Name { get; ;set }
    public int Age { get; set; }
}

public class PersonController : Controller
{
    [HttpPost]
    public ActionResult Add(Person person)
    {
          //Your code
    }
}

You can easily make the same post request with the c# WebClient object in your legacy application. 您可以使用旧应用程序中的c#WebClient对象轻松发出相同的发布请求。 You can use fiddler or the developer tools to inspect the request and pass in the correct parameters needed to make the post. 您可以使用fiddler或开发人员工具检查请求并传递发布所需的正确参数。

Oh and using a get request can give you trouble when the requests are getting bigger. 哦,使用get请求可以在请求变大时给您带来麻烦。 Posts are ment to sent data to the server. 帖子用于将数据发送到服务器。 Gets are meant for getting data from the server. 获取用于从服务器获取数据。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ASP.NET MVC3中的Antiforgery.Validate方法错误 - Antiforgery.Validate Method error in ASP.NET MVC3 在 ASP.NET 内核中使用 Antiforgery 并得到错误 - 无法解密防伪令牌 - Using Antiforgery in ASP.NET Core and got error - the antiforgery token could not be decrypted 将SignalR与ASP.NET MVC3一起使用 - Using SignalR with ASP.NET MVC3 未捕获的SyntaxError:意外的令牌ILLEGAL ASP.NET mvc3 - Uncaught SyntaxError: Unexpected token ILLEGAL ASP.NET mvc3 在外部消费者(应用程序)中使用 ASP.NET Core 6 Web API Antiforgery Token,无需身份验证 - Using ASP.NET Core 6 Web API Antiforgery Token in extern consumer (App) without Authentication 在SPA应用程序中正确使用ASP.NET 5中的AntiForgery令牌? - Correct usage of AntiForgery token in ASP.NET 5 in SPA application? AntiForgery Asp.net网络表单 - AntiForgery Asp.net Webforms 在ASP.NET MVC3项目(剃刀)中使用不同的布局 - Using different layouts in an ASP.NET MVC3 project (Razor) 使用MVC3与常规ASP.NET的文件夹结构 - Using MVC3 with folder structure like regular ASP.NET ASP.NET MVC3 - 使用Javascript的Bug - ASP.NET MVC3 - Bug using Javascript
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM