发表新帖
发表新帖

what is the use of anti-forgery token salt?

后端 未结
关注
2 1435
旧巷少年郎
旧巷少年郎 2021-01-08 00:54

In ASP.NET MVC 1.0, there is a new feature for handling cross site request forgery security problem:

 <%= Html.AntiForgeryToken() %>
[ValidateAntiForge
2条回答
  • 青春惊慌失措
    青春惊慌失措 (楼主)
    2021-01-08 01:08

    You've ask a few unrelated problems:

    1. I don't know why your security software is reporting 'session fixed'. Try reading the documentation that comes with the report
    2. The anti-forgery token:

    This is used (presumably) to validate that each request is valid. So consider that someone tries to present a link to the page ?x=1, if the token is not also passed, the request will be rejected. Further, it (may) prevent duplicate posting of the same item. If you click 'post' twice, the token will likely change (each request), and this case will be detected via something like:

    Session["nextToken"] = token;
WriteToken(token);

...

if( !Request["nextToken"] == Session["nextToken"] ){
    ...
}

// note: order in code is slightly different, you must take the token
// before regenerating it, obviously

    I think the term for this (the attack it protects) is called "CSRF" (Cross-Site Request Forgery), these days.

    0 讨论(0)
 看不清?
提交回复
热议问题