antiforgerytoken | 易学教程

ASP.NET MVC HTML.AntiForgeryToken() with multiple AJAX requests from one page

阅读更多关于 ASP.NET MVC HTML.AntiForgeryToken() with multiple AJAX requests from one page

问题 I'm creating a page that makes multiple AJAX form posts without a page refresh. I would like to use the ASP.NET MVC HTML.AntiForgeryToken() helper to secure the form against CSRF attacks. I think that each form on the page can share the same token, but will it allow multiple requests with the same token? If not is there a way to get a new token or some other way to secure the forms? 回答1: You can share the same token. Of course, as a general rule, it's highly recommended to wrap your Ajax

MVC 2 AntiForgeryToken - Why symmetric encryption + IPrinciple?

阅读更多关于 MVC 2 AntiForgeryToken - Why symmetric encryption + IPrinciple?

问题 We recently updated our solution to MVC 2, and this has updated the way that the AntiForgeryToken works. Unfortunately this does not fit with our AJAX framework any more. The problem is that MVC 2 now uses symmetric encryption to encode some properties about the user, including the user's Name property (from IPrincipal ). We are able to securely register a new user using AJAX, after which subsequent AJAX calls will be invalid as the anti forgery token will change when the user has been

AntiForgery.GetTokens: what is the purpose of the oldCookieToken parameter?

阅读更多关于 AntiForgery.GetTokens: what is the purpose of the oldCookieToken parameter?

问题 We're writing an iOS mobile app in objective-c that makes posts to our ASP.NET MVC server app. On iPhone, the HTTP stack (and cookies etc) appear to be shared with Safari. This leaves us open to XSRF attacks, so unless I'm mistaken we need to protect the POSTs with anti-forgery tokens and protect our controller methods with ValidateAntiForgeryTokenAttribute . I'll qualify this question by saying that I don't properly understand the mechanism by which the antiforgery tokens are generated and

MVC3 AntiForgeryToken breaks on Ajax login

阅读更多关于 MVC3 AntiForgeryToken breaks on Ajax login

问题 ASP.NET MVC's AntiForgeryToken mechanism is based on the current HttpContext.User . It uses that value to construct the token when you call Html.AntiForgeryToken() . Basically it is OK (see an explanation in the last paragraph here) but a problem arises when you log in through an Ajax call . In my code, when a user logs in, the credentials are sent as a Json object in Ajax (the AntiForgeryToken hidden field value is also sent inside the Json), the server authenticates the user, applies

Need some guide line for AntiForgeryToken use in MVC [closed]

阅读更多关于 Need some guide line for AntiForgeryToken use in MVC [closed]

问题 Closed . This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 5 years ago . i am new in mvc. so i go through few article about AntiForgeryToken usage. AntiForgeryToken emit a encrypted value in page and when form post then encrypted value & cookie for AntiForgeryToken goes to server end and there compare two value to check the both are same or not. if not

Antiforgery token exception only when debugger is run

阅读更多关于 Antiforgery token exception only when debugger is run

问题 I have an mvc2 app which is serving content through iframes. The iframed page is simply a form. It has a request validation token. Everything works well cross domain until a developer uses the Visual Studio 2005 debugger. As soon as they do, I get the following error details. Exception: System.Web.Mvc.HttpAntiForgeryException : A required anti-forgery token was not supplied or was invalid. Stack Trace: at System.Web.Mvc.ValidateAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext

Secure way to Delete a record in ASP.Net MVC

阅读更多关于 Secure way to Delete a record in ASP.Net MVC

I want to delete a product from my ASP.Net MVC 5 website. I want to know if adding [AntiForgeryToken] and [Authorize] is enough to secure the Delete operation? View <p>Delete: @Model.Name</p> @using (Html.BeginForm("Delete", "ProductController", FormMethod.Post, new { ProductId = Model.ProductId })) { @Html.AntiForgeryToken() <button type="submit">Delete</button> } Controller [HttpPost] [Authorize] [ValidateAntiForgeryToken] public ActionResult Delete(long ProductId) { /* Do I need to check if the logged in User has permission to delete the product? var product = ProductRepository.Get(Id); if

Antiforgery token exception only when debugger is run

阅读更多关于 Antiforgery token exception only when debugger is run

I have an mvc2 app which is serving content through iframes. The iframed page is simply a form. It has a request validation token. Everything works well cross domain until a developer uses the Visual Studio 2005 debugger. As soon as they do, I get the following error details. Exception: System.Web.Mvc.HttpAntiForgeryException : A required anti-forgery token was not supplied or was invalid. Stack Trace: at System.Web.Mvc.ValidateAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext filterContext) at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext

Handle Anti forgery errors during logging in while already Logged in? ASP.NET MVC

阅读更多关于 Handle Anti forgery errors during logging in while already Logged in? ASP.NET MVC

When a user is Logged in, and goes to Login Page while so. If he tries to login again you get Anti forgery Error. The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster. Another type of error I get is: The provided anti-forgery token was meant for a different claims-based user than the current user. How to handle this Anti forgery Errors? Create action

MVC5 AntiForgeryToken - how to handle “The provided anti-forgery token was meant for user ”“, but the current user is ”xxx“.” exception?

阅读更多关于 MVC5 AntiForgeryToken - how to handle “The provided anti-forgery token was meant for user ”“, but the current user is ”xxx“.” exception?

I want to protect our login actions by AntiforgeryToken attribute - I know why the exception from the topic occurs, however I can't seem to find any good solution for it. Let say we have the following situations: It's 8:00 AM, application users are coming to work, they sit down and starting the login process - right now it is very possible that some of the users will get the same ValidationToken . After the first one logs in - all other will see the above exception (or some other custom exception screen) when they attempt to login. Some user logged in, then accidentally pressed the " back "