C# 如何在ASP.Net Web应用程序中防止CSRF攻击?
我想防止我的Web应用程序受到CSRF攻击 我将此解决方案应用于母版页,所有网页都继承自此母版页C# 如何在ASP.Net Web应用程序中防止CSRF攻击?,c#,asp.net,cookies,session-cookies,csrf,C#,Asp.net,Cookies,Session Cookies,Csrf,我想防止我的Web应用程序受到CSRF攻击 我将此解决方案应用于母版页,所有网页都继承自此母版页 public partial class SiteMaster : MasterPage { private const string AntiXsrfTokenKey = "__AntiXsrfToken"; private const string AntiXsrfUserNameKey = "__AntiXsrfUserName"; private string _an
public partial class SiteMaster : MasterPage
{
private const string AntiXsrfTokenKey = "__AntiXsrfToken";
private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
private string _antiXsrfTokenValue;
protected void Page_Init(object sender, EventArgs e)
{
//First, check for the existence of the Anti-XSS cookie
var requestCookie = Request.Cookies[AntiXsrfTokenKey];
Guid requestCookieGuidValue;
//If the CSRF cookie is found, parse the token from the cookie.
//Then, set the global page variable and view state user
//key. The global variable will be used to validate that it matches in the view state form field in the Page.PreLoad
//method.
if (requestCookie != null
&& Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
{
//Set the global token variable so the cookie value can be
//validated against the value in the view state form field in
//the Page.PreLoad method.
_antiXsrfTokenValue = requestCookie.Value;
//Set the view state user key, which will be validated by the
//framework during each request
Page.ViewStateUserKey = _antiXsrfTokenValue;
}
//If the CSRF cookie is not found, then this is a new session.
else
{
//Generate a new Anti-XSRF token
_antiXsrfTokenValue = Guid.NewGuid().ToString("N");
//Set the view state user key, which will be validated by the
//framework during each request
Page.ViewStateUserKey = _antiXsrfTokenValue;
//Create the non-persistent CSRF cookie
var responseCookie = new HttpCookie(AntiXsrfTokenKey)
{
//Set the HttpOnly property to prevent the cookie from
//being accessed by client side script
HttpOnly = true,
//Add the Anti-XSRF token to the cookie value
Value = _antiXsrfTokenValue
};
//If we are using SSL, the cookie should be set to secure to
//prevent it from being sent over HTTP connections
if (FormsAuthentication.RequireSSL &&
Request.IsSecureConnection)
responseCookie.Secure = true;
//Add the CSRF cookie to the response
Response.Cookies.Set(responseCookie);
}
Page.PreLoad += master_Page_PreLoad;
}
protected void master_Page_PreLoad(object sender, EventArgs e)
{
//During the initial page load, add the Anti-XSRF token and user
//name to the ViewState
if (!IsPostBack)
{
//Set Anti-XSRF token
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
//If a user name is assigned, set the user name
ViewState[AntiXsrfUserNameKey] =
Context.User.Identity.Name ?? String.Empty;
}
//During all subsequent post backs to the page, the token value from
//the cookie should be validated against the token in the view state
//form field. Additionally user name should be compared to the
//authenticated users name
else
{
//Validate the Anti-XSRF token
if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
|| (string)ViewState[AntiXsrfUserNameKey] !=
(Context.User.Identity.Name ?? String.Empty))
{
throw new InvalidOperationException("Validation of
Anti-XSRF token failed.");
}
}
}
}
有了这个解决方案,我无法实现我想要的
如果用户A登录,执行一些活动并捕获来自Fiddler的请求,它将注销,现在用户B登录,我将触发捕获的请求,它将成功地完成任务。所以我的申请没有被阻止
我可以看到请求。对于特定会话和新会话请求,Cookies[AntiXsrfTokenKey]值相同。Cookies[AntiXsrfTokenKey]值不同
我应该做什么来代替这一行
throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
在注销按钮上,单击“我清除所有内容”
FormsAuthentication.SignOut();
Session.Clear();
Session.Abandon();
Session.RemoveAll();
HttpCookie cookies = Context.Request.Cookies[FormsAuthentication.FormsCookieName];//Or Response
cookies.Expires = DateTime.Now.AddDays(-1);
Context.Response.Cookies.Add(cookies);
if (Request.Cookies["ASP.NET_SessionId"] != null)
{
Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
}
if (Request.Cookies["AuthToken"] != null)
{
Response.Cookies["AuthToken"].Value = string.Empty;
Response.Cookies["AuthToken"].Expires = DateTime.Now.AddMonths(-20);
}
if (Request.Cookies[AntiXsrfTokenKey] != null)
{
Response.Cookies[AntiXsrfTokenKey].Value = string.Empty;
Response.Cookies[AntiXsrfTokenKey].Expires = DateTime.Now.AddMonths(-20);
}
//Response.Redirect("Logon.aspx");
FormsAuthentication.RedirectToLoginPage();
使用“AntiForgeryToken”防止CSRF攻击。要更好地理解,请参阅以下链接:
只需在发送数据的表单中添加
@Html.AntiForgeryToken()
。然后用[ValidateAntiForgeryToken]
装饰动作方法或控制器:它不基于MVC,它的asp.net 4.0它不基于MVC,它的asp.net 4.0