antiforgerytoken

问题 I am currently working on an ASP.NET MVC project and came upon an error that seemed peculiar. In the ASP.NET MVC Templates forms always get an AntiForgeryToken (thus leading me to believe that this is a best practice). However AntiForgeryTokens don't seem to work well with caching. For example when I open a site with a form including an AntiForgeryToken and I duplicate the browser window both windows have the exact same AntiForgeryToken leading to an exception when posting the form. This

问题 My website is raising this exception around 20 times a day, usually the form works fine but there are instances where this issue occur and I don't know why is so random. This is logged exception by elmah 500 HttpAntiForgery The required anti-forgery cookie __RequestVerificationToken" is not present. But the form it is sending the the token as shown on the XML log by elmah <form> <item name="__RequestVerificationToken"> <value string="DNbDMrzHmy37GPS6IFH-EmcIh4fJ2laezIrIEev5f4vOhsY9T7SkH9

问题 How can I prevent users from forging forms on the PHP or jquery side, I am using Jquery's ajax functionality to submit the forms, and this means that tech-wise people can change some variables such as the value of something (that shouldn't be changed / is a user id or something like that) through the use of firebug or web inspector and likewise. So how can I prevent users from changing these variables or making sure they are unchangeable through a secure and good way? Thanks 回答1: As the

问题 i came to know : Under the covers, the MVC AntiForgeryToken attribute uses the machinekey for encryption. If you don't specify a machinekey in the web.config , one is automatically generated for you by ASP.NET. If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key, hence why it crashes with the above error. My concern is before write the machine key in web.config i like to know where i

问题 I just did a quick test with a simple ASP.NET MVC 3 sample by modifying default LogOn form. According to this article, both hidden field __RequestVerificationToken and cookies __RequestVerificationToken_Lw__ must contain same value that generated by Html.AntiForgeryToken() . But it isn't exactly same when I got them in Fiddle, by the way, looking at MVC 3 source code, method GetAntiForgeryTokenAndSetCookie seemed not use salt value for generating the cookies. Was there any change in MVC 3?

问题 Case: I have an MVC5 application (basically the MVC5 template with a scaffolded view) with the Google authentication method enabled. The application has been configured to accept email as user name and to store the claims assigned from Google like Surname, givenname, email, nameidentifier, etc, to the membership database (AspNetUserClaims). When I register and log in with a "local" user everything is fine. If I log in with a Google user its fine. If I log in with an account set up to have

问题 I have a problem with the anti CRSF MVC mechanism. The cookie and the form input returned does not match. I'm getting an error every single time, only in one specific page. In the rest of the application it works well. The server is returning HTTP 500 Internal Server Error and I can see on the log this exception: [System.Web.Mvc.HttpAntiForgeryException]: {"A required anti-forgery token was not supplied or was invalid."} This is the hidden input that the server is generating is: <input name="

问题 In regards to this Haacked blog, I'm hesitant to implement the proposed anti-JSON GET hijacking solutions since The recommended solutions to mitigating JSON hijacking involve non-REST-full JSON POSTs to GET data The alternate solution (object wrapping) causes problems with 3rd party controls I don't have source-code access to. I can't find a community-vetted implementation that implements the Alternative Solution (listed below) on how to compose the security token, or securely deliver it

问题 We have some existing MVC web services that are called AJAX style from web pages. These services make use of the ValidateAntiForgeryToken attribute to help prevent request forgeries. We are looking to migrate these services to Web API, but there appears to be no equivalent anti-forgery functionality. Am I missing something? Is there a different approach to addressing request forgeries with Web API? 回答1: You could implement such authorization attribute: [AttributeUsage(AttributeTargets.Method

问题 I previously asked a question regarding this, got an interesting answer which got me on my way to, well asking more questions. So here is the next question in my journey to figure out the inner workings of AJAX posts and the rather annoying ValidateAntiForgeryTokenAttribute . I have a _layout.cshtml, this is where all of the script goodies are located for now. I have a login page that render three partials, one for OpenID logins, which is just a normal @using(Html.BeginForm()) {} , one for