如何在ASP.NET中保护AJAX请求?

时间:2021-11-08 17:20:21

I am developing an application in which I am displaying products in a grid. In the grid there is a column which have a disable/enable icon and on click of that icon I am firing a request through AJAX to my page manageProduct.aspx for enabling/disabling that particular product.

我正在开发一个应用程序,我在其中显示网格中的产品。在网格中有一个列具有禁用/启用图标,点击该图标后,我通过AJAX向我的页面manageProduct.aspx发出请求,以启用/禁用该特定产品。

In my ajax request I am passing productID as parameter, so the final ajax query is as

在我的ajax请求中,我将productID作为参数传递,因此最终的ajax查询为as

http://example.com/manageProduct.aspx?id=234

Now, if someone (professional hacker or web developer) can get this URL (which is easy to get from my javascript files), then he can make a script which will run as a loop and will disable all my products.

现在,如果有人(专业黑客或网络开发人员)可以获得此URL(很容易从我的javascript文件中获取),那么他可以创建一个将作为循环运行的脚本并禁用我的所有产品。

So, I want to know that is there any mechanism, technique or method using which if someone tries to execute that page directly then, it will return an error (a proper message "You're not authorized or something") else if the page is executed from the desired page, like where I am displaying product list, then it will ecxecute properly.

所以,我想知道有没有任何机制,技术或方法,如果有人试图直接执行该页面,它将返回错误(正确的消息“你没有被授权或其他东西”)否则如果页面从所需的页面执行,就像我显示产品列表的位置一样,然后它将正确地执行。

Basically I wnat to secure my AJAX requests, so taht no one can directly execute them.

基本上我想保护我的AJAX请求,所以没有人可以直接执行它们。

In PHP:

In php my colleague secure this PHP pages by checking the refrer of the page. as below:

在php中,我的同事通过检查页面的refrer来保护这个PHP页面。如下:

$back_link = $_SERVER['HTTP_REFERER'];

if ($back_link =='')
{
   echo 'You are not authorized to execute this page';
}
else
{
  //coding
}

Please tell me how to the same or any other different but secure techique in ASP.NET (C#), I am using jQUERY in my app for making ajax requests.

请告诉我如何在ASP.NET(C#)中使用相同或任何其他不同但安全的技术,我在我的应用程序中使用jQUERY来发出ajax请求。

Thanks

3 个解决方案

#1


4  

Forget about using the referer - it is trivial to forge. There is no way to reliably tell if a request is being made directly or as a response to something else.

忘记使用引用者 - 伪造是微不足道的。没有办法可靠地判断请求是直接发出还是作为对其他内容的响应。

If you want to stop unauthorised people from having an effect on the system by requesting a URL, then you need something smarter then that to determine their authorisation level (probably a password system implemented with HTTP Basic Auth or Cookies).

如果您想通过请求URL来阻止未经授权的人员对系统产生影响,那么您需要更智能的东西来确定他们的授权级别(可能是使用HTTP Basic Auth或Cookies实现的密码系统)。

#2


3  

Whatever you do, don't rely on http headers like 'HTTP_REFERER', as they can be easily spoofed.

无论你做什么,都不要依赖像'HTTP_REFERER'这样的http标头,因为它们很容易被欺骗。

#3


2  

You need to check in your service that your user is logged in. Writing a good secure login system isn't easy either but that is what you need to do, or use the built in "forms authentication".

您需要检查您的用户已登录的服务。编写一个良好的安全登录系统也不容易,但这是您需要做的,或使用内置的“表单身份验证”。

Also, do not use sequential product id's, use uniqueidentifiers, you can still have an integer product id for display but for all other uses like the one you describe you will want to use the product uniqueidentifier/guid.

此外,不要使用顺序产品ID,使用uniqueidentifier,您仍然可以使用整数产品ID进行显示,但对于您描述的所有其他用途,您将要使用产品uniqueidentifier / guid。

#1


4  

Forget about using the referer - it is trivial to forge. There is no way to reliably tell if a request is being made directly or as a response to something else.

忘记使用引用者 - 伪造是微不足道的。没有办法可靠地判断请求是直接发出还是作为对其他内容的响应。

If you want to stop unauthorised people from having an effect on the system by requesting a URL, then you need something smarter then that to determine their authorisation level (probably a password system implemented with HTTP Basic Auth or Cookies).

如果您想通过请求URL来阻止未经授权的人员对系统产生影响,那么您需要更智能的东西来确定他们的授权级别(可能是使用HTTP Basic Auth或Cookies实现的密码系统)。

#2


3  

Whatever you do, don't rely on http headers like 'HTTP_REFERER', as they can be easily spoofed.

无论你做什么,都不要依赖像'HTTP_REFERER'这样的http标头,因为它们很容易被欺骗。

#3


2  

You need to check in your service that your user is logged in. Writing a good secure login system isn't easy either but that is what you need to do, or use the built in "forms authentication".

您需要检查您的用户已登录的服务。编写一个良好的安全登录系统也不容易,但这是您需要做的,或使用内置的“表单身份验证”。

Also, do not use sequential product id's, use uniqueidentifiers, you can still have an integer product id for display but for all other uses like the one you describe you will want to use the product uniqueidentifier/guid.

此外,不要使用顺序产品ID,使用uniqueidentifier,您仍然可以使用整数产品ID进行显示,但对于您描述的所有其他用途,您将要使用产品uniqueidentifier / guid。