C# 如何在ASP.Net Web应用程序中防止CSRF攻击？

我想防止我的Web应用程序受到CSRF攻击

我将此解决方案应用于母版页，所有网页都继承自此母版页

public partial class SiteMaster : MasterPage
{
    private const string AntiXsrfTokenKey = "__AntiXsrfToken";
    private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
    private string _antiXsrfTokenValue;

    protected void Page_Init(object sender, EventArgs e)
    {
        //First, check for the existence of the Anti-XSS cookie
        var requestCookie = Request.Cookies[AntiXsrfTokenKey];
        Guid requestCookieGuidValue;

        //If the CSRF cookie is found, parse the token from the cookie.
        //Then, set the global page variable and view state user
        //key. The global variable will be used to validate that it matches in the view state form field in the Page.PreLoad
        //method.
        if (requestCookie != null
        && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
        {
            //Set the global token variable so the cookie value can be
            //validated against the value in the view state form field in
            //the Page.PreLoad method.
            _antiXsrfTokenValue = requestCookie.Value;

            //Set the view state user key, which will be validated by the
            //framework during each request
            Page.ViewStateUserKey = _antiXsrfTokenValue;
        }
        //If the CSRF cookie is not found, then this is a new session.
        else
        {
            //Generate a new Anti-XSRF token
            _antiXsrfTokenValue = Guid.NewGuid().ToString("N");

            //Set the view state user key, which will be validated by the
            //framework during each request
            Page.ViewStateUserKey = _antiXsrfTokenValue;

            //Create the non-persistent CSRF cookie
            var responseCookie = new HttpCookie(AntiXsrfTokenKey)
            {
                //Set the HttpOnly property to prevent the cookie from
                //being accessed by client side script
                HttpOnly = true,

                //Add the Anti-XSRF token to the cookie value
                Value = _antiXsrfTokenValue
            };

            //If we are using SSL, the cookie should be set to secure to
            //prevent it from being sent over HTTP connections
            if (FormsAuthentication.RequireSSL &&
            Request.IsSecureConnection)
            responseCookie.Secure = true;

            //Add the CSRF cookie to the response
            Response.Cookies.Set(responseCookie);
        }

            Page.PreLoad += master_Page_PreLoad;
        }

        protected void master_Page_PreLoad(object sender, EventArgs e)
        {
            //During the initial page load, add the Anti-XSRF token and user
            //name to the ViewState
            if (!IsPostBack)
            {
                //Set Anti-XSRF token
                ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;

                //If a user name is assigned, set the user name
                ViewState[AntiXsrfUserNameKey] =
                Context.User.Identity.Name ?? String.Empty;
            }
            //During all subsequent post backs to the page, the token value from
            //the cookie should be validated against the token in the view state
            //form field. Additionally user name should be compared to the
            //authenticated users name
            else
            {
                //Validate the Anti-XSRF token
                if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
                || (string)ViewState[AntiXsrfUserNameKey] !=
                (Context.User.Identity.Name ?? String.Empty))
            {
            throw new InvalidOperationException("Validation of
            Anti-XSRF token failed.");
            }
        }
    }
}

有了这个解决方案，我无法实现我想要的

如果用户A登录，执行一些活动并捕获来自Fiddler的请求，它将注销，现在用户B登录，我将触发捕获的请求，它将成功地完成任务。所以我的申请没有被阻止

我可以看到请求。对于特定会话和新会话请求，Cookies[AntiXsrfTokenKey]值相同。Cookies[AntiXsrfTokenKey]值不同

我应该做什么来代替这一行

throw new InvalidOperationException("Validation of Anti-XSRF token failed.");

在注销按钮上，单击“我清除所有内容”

 FormsAuthentication.SignOut();

        Session.Clear();
        Session.Abandon();
        Session.RemoveAll();

        HttpCookie cookies = Context.Request.Cookies[FormsAuthentication.FormsCookieName];//Or Response
        cookies.Expires = DateTime.Now.AddDays(-1);
        Context.Response.Cookies.Add(cookies);

        if (Request.Cookies["ASP.NET_SessionId"] != null)
        {
            Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
            Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
        }

        if (Request.Cookies["AuthToken"] != null)
        {
            Response.Cookies["AuthToken"].Value = string.Empty;
            Response.Cookies["AuthToken"].Expires = DateTime.Now.AddMonths(-20);
        }

        if (Request.Cookies[AntiXsrfTokenKey] != null)
        {
            Response.Cookies[AntiXsrfTokenKey].Value = string.Empty;
            Response.Cookies[AntiXsrfTokenKey].Expires = DateTime.Now.AddMonths(-20);
        }


        //Response.Redirect("Logon.aspx");
        FormsAuthentication.RedirectToLoginPage();

使用“AntiForgeryToken”防止CSRF攻击。要更好地理解，请参阅以下链接：

---

只需在发送数据的表单中添加

@Html.AntiForgeryToken（）

。然后用

[ValidateAntiForgeryToken]

装饰动作方法或控制器：

它不基于MVC，它的asp.net 4.0它不基于MVC，它的asp.net 4.0