I know how to use MVC's AntiForgeryToken attribute and it's associated HTML helper to help XSRF-secure my application's form POSTs.
我知道如何使用MVC的AntiForgeryToken属性,它是相关的HTML助手,可以帮助xsrf保护我的应用程序的表单发布。
Can something similar can be done for JsonResults that implement GET?
可以为实现GET的JsonResults做类似的事情吗?
For instance, my View contains an onSubmit jQuery call like such:
例如,我的视图包含onSubmit jQuery调用,如下所示:
$.getJSON("/allowActivity/YesOrNo/" + someFormValue, "{}", function(data) {
if(data.Allow) {
//Do something.
}
});
I want to make certain that this JsonResult is only callable from the intended page.
我想确保这个JsonResult只可从预期的页面调用。
EDIT:
编辑:
I found this post about a similar question, with no concrete answer.
我在这篇文章中发现了一个类似的问题,没有具体的答案。
What is the easiest way to ensure that my GET(non-destructive) URL is consumed only by an AJAX call from my own page?
确保我的GET(无损)URL仅被来自我自己页面的AJAX调用使用的最简单方法是什么?
4 个解决方案
#1
8
You may use the AntiForgeryToken combined with some custom logic. The creation of the AntiForgery token on the server is the same, but by default the value is not included in your XmlHttpRequest.
您可以使用反伪造令牌与一些自定义逻辑结合使用。服务器上的反伪造令牌的创建是相同的,但是默认情况下,XmlHttpRequest中不包含这个值。
The value of this token is in the HTTP only cookie "__RequestVerificationToken" and should also be in the form data posted to the server. So include a key/value pair in your XmlHttpRequest and use the ValidateAntiForgeryToken - attribute on your controller
此令牌的值位于仅针对HTTP的cookie“__RequestVerificationToken”中,并且也应该位于发送到服务器的表单数据中。因此,在XmlHttpRequest中包含一个键/值对,并在控制器上使用ValidateAntiForgeryToken—属性
EDIT:
编辑:
Today I tried using the AntiForgeryToken for Ajax requests myself and it works fine. Just use the following javascript:
今天我尝试使用AntiForgeryToken处理Ajax请求,它工作得很好。只需使用以下javascript:
$.post('my_url', $.getAntiForgeryTokenString(), function() { ... });
$.getAntiForgeryTokenString = function() {
return $(document.getElementsByName("__RequestVerificationToken")).fieldSerialize();
};
On the server side you don't have to change your code - just use the ValidateAntiForgeryToken- attribute for your action.
在服务器端,您不必更改代码—只需使用ValidateAntiForgeryToken—属性进行操作。
Hope this helps
希望这有助于
#2
1
First of all why not to use $.post(url, data, callback, 'json') instead of getJSON? And as kleolb02 said, you may add value from the cookie to the post data using cookie plugin - {__RequestVerificationToken: $.cookie('__RequestVerificationToken')}
首先,为什么不使用$呢?post(url, data, callback, 'json')而不是getJSON?正如kleolb02所说,您可以使用cookie插件- {__RequestVerificationToken: $.cookie('__RequestVerificationToken')}将cookie中的值添加到post数据中。
#3
1
I have used similar code in an ASP.NET MVC project to use on an element's blur function without having an Ajax form. This code provides filling a text field with server data when a certain HTML element Blur event occurs.
我在ASP中使用过类似的代码。NET MVC项目在没有Ajax表单的情况下使用元素的模糊函数。这段代码提供了在发生某个HTML元素模糊事件时用服务器数据填充文本字段。
Hope this helps too. Here's my code:
希望这可以帮助。这是我的代码:
Javascript:
Javascript:
var mytext = { 'myText': 'example text' };
$.post('/MyController/JsonResultMethod', AddAntiForgeryToken(myText), function (resultData) {
$('#htmlElement').val(resultData);
});
AddAntiForgeryToken = function (data) {
data.__RequestVerificationToken = $('input[name=__RequestVerificationToken]').val();
return data;
};
C-Sharp code:
升c代码:
[HttpPost]
[ValidateAntiForgeryToken]
public JsonResult SeoString(string myText)
{
try
{
// do something here
return this.Json("result text");
}
catch (Exception)
{ return this.Json(string.Empty); }
}
#4
0
You can do something similar as the anti XSRF methods. Just generate some ID insert it into the javascript and when the user calls your JSON url, have that url include the generated ID and check if it is there.
您可以做一些类似于反XSRF方法的事情。只需生成一些ID,将其插入到javascript中,当用户调用JSON url时,让该url包含生成的ID并检查它是否存在。
A defense against XSRF is also using the sessionID as key, this doesn't stop the user executing it from another website for his own account though.
针对XSRF的一种防御方法是使用sessionID作为键,但这并不阻止用户从其他网站为自己的帐户执行它。
Some hash based on the session and time might do the trick. Ofcourse if the user copies the value from the JS, he can still execute it from another location, but you can have that value expire every x minutes. Another option is to set a cookie with JS and read it serverside.
一些基于会话和时间的散列可能会起到作用。当然,如果用户从JS中复制了值,他仍然可以从另一个位置执行它,但是您可以让这个值每x分钟过期一次。另一种选择是用JS设置一个cookie并读取它的服务器端。
Hope this gives you some ideas to get you started.
希望这能给你一些启发。
#1
8
You may use the AntiForgeryToken combined with some custom logic. The creation of the AntiForgery token on the server is the same, but by default the value is not included in your XmlHttpRequest.
您可以使用反伪造令牌与一些自定义逻辑结合使用。服务器上的反伪造令牌的创建是相同的,但是默认情况下,XmlHttpRequest中不包含这个值。
The value of this token is in the HTTP only cookie "__RequestVerificationToken" and should also be in the form data posted to the server. So include a key/value pair in your XmlHttpRequest and use the ValidateAntiForgeryToken - attribute on your controller
此令牌的值位于仅针对HTTP的cookie“__RequestVerificationToken”中,并且也应该位于发送到服务器的表单数据中。因此,在XmlHttpRequest中包含一个键/值对,并在控制器上使用ValidateAntiForgeryToken—属性
EDIT:
编辑:
Today I tried using the AntiForgeryToken for Ajax requests myself and it works fine. Just use the following javascript:
今天我尝试使用AntiForgeryToken处理Ajax请求,它工作得很好。只需使用以下javascript:
$.post('my_url', $.getAntiForgeryTokenString(), function() { ... });
$.getAntiForgeryTokenString = function() {
return $(document.getElementsByName("__RequestVerificationToken")).fieldSerialize();
};
On the server side you don't have to change your code - just use the ValidateAntiForgeryToken- attribute for your action.
在服务器端,您不必更改代码—只需使用ValidateAntiForgeryToken—属性进行操作。
Hope this helps
希望这有助于
#2
1
First of all why not to use $.post(url, data, callback, 'json') instead of getJSON? And as kleolb02 said, you may add value from the cookie to the post data using cookie plugin - {__RequestVerificationToken: $.cookie('__RequestVerificationToken')}
首先,为什么不使用$呢?post(url, data, callback, 'json')而不是getJSON?正如kleolb02所说,您可以使用cookie插件- {__RequestVerificationToken: $.cookie('__RequestVerificationToken')}将cookie中的值添加到post数据中。
#3
1
I have used similar code in an ASP.NET MVC project to use on an element's blur function without having an Ajax form. This code provides filling a text field with server data when a certain HTML element Blur event occurs.
我在ASP中使用过类似的代码。NET MVC项目在没有Ajax表单的情况下使用元素的模糊函数。这段代码提供了在发生某个HTML元素模糊事件时用服务器数据填充文本字段。
Hope this helps too. Here's my code:
希望这可以帮助。这是我的代码:
Javascript:
Javascript:
var mytext = { 'myText': 'example text' };
$.post('/MyController/JsonResultMethod', AddAntiForgeryToken(myText), function (resultData) {
$('#htmlElement').val(resultData);
});
AddAntiForgeryToken = function (data) {
data.__RequestVerificationToken = $('input[name=__RequestVerificationToken]').val();
return data;
};
C-Sharp code:
升c代码:
[HttpPost]
[ValidateAntiForgeryToken]
public JsonResult SeoString(string myText)
{
try
{
// do something here
return this.Json("result text");
}
catch (Exception)
{ return this.Json(string.Empty); }
}
#4
0
You can do something similar as the anti XSRF methods. Just generate some ID insert it into the javascript and when the user calls your JSON url, have that url include the generated ID and check if it is there.
您可以做一些类似于反XSRF方法的事情。只需生成一些ID,将其插入到javascript中,当用户调用JSON url时,让该url包含生成的ID并检查它是否存在。
A defense against XSRF is also using the sessionID as key, this doesn't stop the user executing it from another website for his own account though.
针对XSRF的一种防御方法是使用sessionID作为键,但这并不阻止用户从其他网站为自己的帐户执行它。
Some hash based on the session and time might do the trick. Ofcourse if the user copies the value from the JS, he can still execute it from another location, but you can have that value expire every x minutes. Another option is to set a cookie with JS and read it serverside.
一些基于会话和时间的散列可能会起到作用。当然,如果用户从JS中复制了值,他仍然可以从另一个位置执行它,但是您可以让这个值每x分钟过期一次。另一种选择是用JS设置一个cookie并读取它的服务器端。
Hope this gives you some ideas to get you started.
希望这能给你一些启发。