http://stackoverflow.com/questions/29939566/preventing-cross-site-request-forgery-csrf-attacks-in-asp-net-web-forms

1.在Master页面添加以下代码

C#

public partial class SiteMaster : MasterPage

{

  private const string AntiXsrfTokenKey = "__AntiXsrfToken";

  private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";

  private string _antiXsrfTokenValue;

  protected void Page_Init(object sender, EventArgs e)

  {

    //First, check for the existence of the Anti-XSS cookie

    var requestCookie = Request.Cookies[AntiXsrfTokenKey];

    Guid requestCookieGuidValue;

    //If the CSRF cookie is found, parse the token from the cookie.

    //Then, set the global page variable and view state user

    //key. The global variable will be used to validate that it matches

    //in the view state form field in the Page.PreLoad method.

    if (requestCookie != null

        && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))

    {

      //Set the global token variable so the cookie value can be

      //validated against the value in the view state form field in

      //the Page.PreLoad method.

      _antiXsrfTokenValue = requestCookie.Value;

      //Set the view state user key, which will be validated by the

      //framework during each request

      Page.ViewStateUserKey = _antiXsrfTokenValue;

    }

    //If the CSRF cookie is not found, then this is a new session.

    else

    {

      //Generate a new Anti-XSRF token

      _antiXsrfTokenValue = Guid.NewGuid().ToString("N");

      //Set the view state user key, which will be validated by the

      //framework during each request

      Page.ViewStateUserKey = _antiXsrfTokenValue;

      //Create the non-persistent CSRF cookie

      var responseCookie = new HttpCookie(AntiXsrfTokenKey)

      {

        //Set the HttpOnly property to prevent the cookie from

        //being accessed by client side script

        HttpOnly = true,

        //Add the Anti-XSRF token to the cookie value

        Value = _antiXsrfTokenValue

      };

      //If we are using SSL, the cookie should be set to secure to

      //prevent it from being sent over HTTP connections

      if (FormsAuthentication.RequireSSL &&

          Request.IsSecureConnection)

      {

        responseCookie.Secure = true;

      }

      //Add the CSRF cookie to the response

      Response.Cookies.Set(responseCookie);

    }

    Page.PreLoad += master_Page_PreLoad;

  }

  protected void master_Page_PreLoad(object sender, EventArgs e)

  {

    //During the initial page load, add the Anti-XSRF token and user

    //name to the ViewState

    if (!IsPostBack)

    {

      //Set Anti-XSRF token

      ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;

      //If a user name is assigned, set the user name

      ViewState[AntiXsrfUserNameKey] =

             Context.User.Identity.Name ?? String.Empty;

    }

    //During all subsequent post backs to the page, the token value from

    //the cookie should be validated against the token in the view state

    //form field. Additionally user name should be compared to the

    //authenticated users name

    else

    {

      //Validate the Anti-XSRF token

      if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue

          || (string)ViewState[AntiXsrfUserNameKey] !=

               (Context.User.Identity.Name ?? String.Empty))

      {

        throw new InvalidOperationException("Validation of " +

                            "Anti-XSRF token failed.");

      }

    }

  }

}

VB.NET

 Private Const AntiXsrfTokenKey As String = "__AntiXsrfToken"

    Private Const AntiXsrfUserNameKey As String = "__AntiXsrfUserName"

    Private _antiXsrfTokenValue As String

    Protected Sub Page_Init(sender As Object, e As EventArgs) Handles Me.Init

        ' The code below helps to protect against XSRF attacks

        Dim requestCookie = Request.Cookies(AntiXsrfTokenKey)

        Dim requestCookieGuidValue As Guid

        If requestCookie IsNot Nothing AndAlso Guid.TryParse(requestCookie.Value, requestCookieGuidValue) Then

            ' Use the Anti-XSRF token from the cookie

            _antiXsrfTokenValue = requestCookie.Value

            Page.ViewStateUserKey = _antiXsrfTokenValue

        Else

            ' Generate a new Anti-XSRF token and save to the cookie

            _antiXsrfTokenValue = Guid.NewGuid().ToString("N")

            Page.ViewStateUserKey = _antiXsrfTokenValue

            Dim responseCookie = New HttpCookie(AntiXsrfTokenKey)

            responseCookie.HttpOnly = True

            responseCookie.Value = _antiXsrfTokenValue

            If FormsAuthentication.RequireSSL AndAlso Request.IsSecureConnection Then

                responseCookie.Secure = True

            End If

            Response.Cookies.Set(responseCookie)

        End If

        AddHandler Page.PreLoad, AddressOf master_Page_PreLoad

    End Sub

    Protected Sub master_Page_PreLoad(sender As Object, e As EventArgs)

        If Not IsPostBack Then

            ' Set Anti-XSRF token

            ViewState(AntiXsrfTokenKey) = Page.ViewStateUserKey

            ViewState(AntiXsrfUserNameKey) = If(Context.User.Identity.Name, [String].Empty)

        Else

            ' Validate the Anti-XSRF token

            If DirectCast(ViewState(AntiXsrfTokenKey), String) <> _antiXsrfTokenValue OrElse DirectCast(ViewState(AntiXsrfUserNameKey), String) <> (If(Context.User.Identity.Name, [String].Empty)) Then

                Throw New InvalidOperationException("Validation of Anti-XSRF token failed.")

            End If

        End If

    End Sub

2.logout的时候清除相关cookie(这里很重要,否则没有效果)

        Session.Abandon()

        'delete the session and antixsrfToken cookies

        Dim sessionCookie = Response.Cookies("ASP.NET_SessionId")

        Dim antiCookie = Response.Cookies("__AntiXsrfToken")

        sessionCookie.Expires = DateTime.Now.AddHours(-)

        antiCookie.Expires = DateTime.Now.AddHours(-)

        Response.Cookies.Add(sessionCookie)

        Response.Cookies.Add(antiCookie)

        Response.Redirect("./login.aspx", False)

ASP.NET CSRF 解决【网摘】的更多相关文章

  1. Delphi 中DataSnap技术网摘

    Delphi2010中DataSnap技术网摘 一.为DataSnap系统服务程序添加描述 这几天一直在研究Delphi 2010的DataSnap,感觉功能真是很强大,现在足有理由证明Delphi7 ...

  2. Feedly订阅Blog部落格RSS网摘 - Blog透视镜

    网络信息爆炸的时代,如何更有效率地阅读文章,订阅RSS网摘,可以快速地浏览文章标题,当对某些文章有兴趣时,才点下连结连到原网站,阅读更详细的文章,Feedly Reader阅读器除了提供在线版订阅RS ...

  3. Bloglines订阅Blog部落格RSS网摘 - Blog透视镜

    网络信息蓬勃发展,Blog部落格越来越普及,如果逐一地去浏览网站,势必费时费力,倘若信息可以自己送上门,那就可以节省不少时间,就好像看报纸的标题,有兴趣才点连结,进到网站浏览文章内容,Blogline ...

  4. TCP/IP协议头部结构体(网摘小结)(转)

    源:TCP/IP协议头部结构体(网摘小结) TCP/IP协议头部结构体(转) 网络协议结构体定义 // i386 is little_endian. #ifndef LITTLE_ENDIAN #de ...

  5. Vim命令快捷键(网摘)

    Vim命令快捷键(网摘) 原文出处:[?---->home]

  6. c#与C++类型转换网摘

    转载自 C++和C#转换 https://www.cnblogs.com/zjoch/p/4147182.html c#与C++类型转换,网摘 //c++:HANDLE(void   *)       ...

  7. ubuntu解决网易云无法打开

    最近首次入手ubuntu18 摸索了很久,当然网易云是不可缺少的一部分,在配置好各种环境+程序后,也找到了解决网易云的方法了. 首先安装好网易云 默认情况下需要在终端使用 sudo 才能运行 解决的办 ...

  8. Python入门及容易!网摘分享给大家!

    Python:Python学习总结 背景 PHP的$和->让人输入的手疼(PHP确实非常简洁和强大,适合WEB编程),Ruby的#.@.@@也好不到哪里(OO人员最该学习的一门语言). Pyth ...

  9. 采访ServiceStack的项目领导Demis Bellot——第1部分(网摘)

    ServiceStack是一个开源的.支持.NET与Mono平台的REST Web Services框架.InfoQ有幸与Demis Bellot深入地讨论了这个项目.在这篇两部分报道的第1部分中,我 ...

随机推荐

  1. uipath_excel

    1.excel建表 https://jingyan.baidu.com/article/95c9d20d0ee5e2ec4e75618d.html 2.具体操作 https://blog.csdn.n ...

  2. Android Studio3.0.0之前首次安装通用配置

    一.第一次安装: 温馨提示:在安装Android Studio之前,建议先提前准备好单独的Android SDK,这个可以在AndroidDevTools网站下载.以前用Eclipse做过Androi ...

  3. AcWing 1016. 最大上升子序列和

    #include<iostream> using namespace std ; ; int f[N]; int a[N]; int main() { int n; cin>> ...

  4. Django | Unable to get repr for <class 'django.db.models.query.QuerySet'>

    问题:在mysql中查询数据时,代码如下: skus = category.sku_set.filter(is_launched=True).order_by(sort_field) skus 取不到 ...

  5. Unity中常用的数据结构总结

    本篇博文对U3D经常用到的数据结构和各种数据结构的应用场景总结下. 1.几种常见的数据结构 这里主要总结下在工作中常碰到的几种数据结构:Array,ArrayList,List<T>,Li ...

  6. 一键安装各个版本boost库(无需编译)

    1.NuGet 最简单的,用VS自带的NuGet包管理器安装,一般比较常用的上面都有 2.下载exe安装包 在这里https://sourceforge.net/projects/boost/file ...

  7. thinkphp中简单的控制器使用

    1.在路由(route.php)中定义一条路由 Route::rule('new/:name/:id','index/News/read'); 2.在index下的controller控制器中新建一个 ...

  8. spring(二):体系结构&核心模块

    Spring框架 帮助管理对象及其依赖关系 提供如通用日志记录.性能统计.安全控制.异常处理等面向切面的能力 帮助管理数据库事务,提供了一套简单的JDBC访问实现,提供与第三方数据访问框架集成(如Hi ...

  9. Solr与JDK对应版本关系,Tomcat与JDK版本对应关系

    最新在部署solrCloud集群,由于自己机器上用的JDK都是JDK1.7的,然后我就从网上下载了最新下载了最先的solr6.6.0和最新的Tomcat9.0,部署了一下,开始报错,提示solr和JD ...

  10. AcWing 4. 多重背包问题

    朴素 数据范围小 //数据范围小 #include<iostream> #include<algorithm> using namespace std ; ; int n,m; ...