http://stackoverflow.com/questions/29939566/preventing-cross-site-request-forgery-csrf-attacks-in-asp-net-web-forms

1.在Master页面添加以下代码

C#

public partial class SiteMaster : MasterPage

{

  private const string AntiXsrfTokenKey = "__AntiXsrfToken";

  private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";

  private string _antiXsrfTokenValue;

  protected void Page_Init(object sender, EventArgs e)

  {

    //First, check for the existence of the Anti-XSS cookie

    var requestCookie = Request.Cookies[AntiXsrfTokenKey];

    Guid requestCookieGuidValue;

    //If the CSRF cookie is found, parse the token from the cookie.

    //Then, set the global page variable and view state user

    //key. The global variable will be used to validate that it matches

    //in the view state form field in the Page.PreLoad method.

    if (requestCookie != null

        && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))

    {

      //Set the global token variable so the cookie value can be

      //validated against the value in the view state form field in

      //the Page.PreLoad method.

      _antiXsrfTokenValue = requestCookie.Value;

      //Set the view state user key, which will be validated by the

      //framework during each request

      Page.ViewStateUserKey = _antiXsrfTokenValue;

    }

    //If the CSRF cookie is not found, then this is a new session.

    else

    {

      //Generate a new Anti-XSRF token

      _antiXsrfTokenValue = Guid.NewGuid().ToString("N");

      //Set the view state user key, which will be validated by the

      //framework during each request

      Page.ViewStateUserKey = _antiXsrfTokenValue;

      //Create the non-persistent CSRF cookie

      var responseCookie = new HttpCookie(AntiXsrfTokenKey)

      {

        //Set the HttpOnly property to prevent the cookie from

        //being accessed by client side script

        HttpOnly = true,

        //Add the Anti-XSRF token to the cookie value

        Value = _antiXsrfTokenValue

      };

      //If we are using SSL, the cookie should be set to secure to

      //prevent it from being sent over HTTP connections

      if (FormsAuthentication.RequireSSL &&

          Request.IsSecureConnection)

      {

        responseCookie.Secure = true;

      }

      //Add the CSRF cookie to the response

      Response.Cookies.Set(responseCookie);

    }

    Page.PreLoad += master_Page_PreLoad;

  }

  protected void master_Page_PreLoad(object sender, EventArgs e)

  {

    //During the initial page load, add the Anti-XSRF token and user

    //name to the ViewState

    if (!IsPostBack)

    {

      //Set Anti-XSRF token

      ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;

      //If a user name is assigned, set the user name

      ViewState[AntiXsrfUserNameKey] =

             Context.User.Identity.Name ?? String.Empty;

    }

    //During all subsequent post backs to the page, the token value from

    //the cookie should be validated against the token in the view state

    //form field. Additionally user name should be compared to the

    //authenticated users name

    else

    {

      //Validate the Anti-XSRF token

      if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue

          || (string)ViewState[AntiXsrfUserNameKey] !=

               (Context.User.Identity.Name ?? String.Empty))

      {

        throw new InvalidOperationException("Validation of " +

                            "Anti-XSRF token failed.");

      }

    }

  }

}

VB.NET

 Private Const AntiXsrfTokenKey As String = "__AntiXsrfToken"

    Private Const AntiXsrfUserNameKey As String = "__AntiXsrfUserName"

    Private _antiXsrfTokenValue As String

    Protected Sub Page_Init(sender As Object, e As EventArgs) Handles Me.Init

        ' The code below helps to protect against XSRF attacks

        Dim requestCookie = Request.Cookies(AntiXsrfTokenKey)

        Dim requestCookieGuidValue As Guid

        If requestCookie IsNot Nothing AndAlso Guid.TryParse(requestCookie.Value, requestCookieGuidValue) Then

            ' Use the Anti-XSRF token from the cookie

            _antiXsrfTokenValue = requestCookie.Value

            Page.ViewStateUserKey = _antiXsrfTokenValue

        Else

            ' Generate a new Anti-XSRF token and save to the cookie

            _antiXsrfTokenValue = Guid.NewGuid().ToString("N")

            Page.ViewStateUserKey = _antiXsrfTokenValue

            Dim responseCookie = New HttpCookie(AntiXsrfTokenKey)

            responseCookie.HttpOnly = True

            responseCookie.Value = _antiXsrfTokenValue

            If FormsAuthentication.RequireSSL AndAlso Request.IsSecureConnection Then

                responseCookie.Secure = True

            End If

            Response.Cookies.Set(responseCookie)

        End If

        AddHandler Page.PreLoad, AddressOf master_Page_PreLoad

    End Sub

    Protected Sub master_Page_PreLoad(sender As Object, e As EventArgs)

        If Not IsPostBack Then

            ' Set Anti-XSRF token

            ViewState(AntiXsrfTokenKey) = Page.ViewStateUserKey

            ViewState(AntiXsrfUserNameKey) = If(Context.User.Identity.Name, [String].Empty)

        Else

            ' Validate the Anti-XSRF token

            If DirectCast(ViewState(AntiXsrfTokenKey), String) <> _antiXsrfTokenValue OrElse DirectCast(ViewState(AntiXsrfUserNameKey), String) <> (If(Context.User.Identity.Name, [String].Empty)) Then

                Throw New InvalidOperationException("Validation of Anti-XSRF token failed.")

            End If

        End If

    End Sub

2.logout的时候清除相关cookie(这里很重要,否则没有效果)

        Session.Abandon()

        'delete the session and antixsrfToken cookies

        Dim sessionCookie = Response.Cookies("ASP.NET_SessionId")

        Dim antiCookie = Response.Cookies("__AntiXsrfToken")

        sessionCookie.Expires = DateTime.Now.AddHours(-)

        antiCookie.Expires = DateTime.Now.AddHours(-)

        Response.Cookies.Add(sessionCookie)

        Response.Cookies.Add(antiCookie)

        Response.Redirect("./login.aspx", False)

ASP.NET CSRF 解决【网摘】的更多相关文章

  1. Delphi 中DataSnap技术网摘

    Delphi2010中DataSnap技术网摘 一.为DataSnap系统服务程序添加描述 这几天一直在研究Delphi 2010的DataSnap,感觉功能真是很强大,现在足有理由证明Delphi7 ...

  2. Feedly订阅Blog部落格RSS网摘 - Blog透视镜

    网络信息爆炸的时代,如何更有效率地阅读文章,订阅RSS网摘,可以快速地浏览文章标题,当对某些文章有兴趣时,才点下连结连到原网站,阅读更详细的文章,Feedly Reader阅读器除了提供在线版订阅RS ...

  3. Bloglines订阅Blog部落格RSS网摘 - Blog透视镜

    网络信息蓬勃发展,Blog部落格越来越普及,如果逐一地去浏览网站,势必费时费力,倘若信息可以自己送上门,那就可以节省不少时间,就好像看报纸的标题,有兴趣才点连结,进到网站浏览文章内容,Blogline ...

  4. TCP/IP协议头部结构体(网摘小结)(转)

    源:TCP/IP协议头部结构体(网摘小结) TCP/IP协议头部结构体(转) 网络协议结构体定义 // i386 is little_endian. #ifndef LITTLE_ENDIAN #de ...

  5. Vim命令快捷键(网摘)

    Vim命令快捷键(网摘) 原文出处:[?---->home]

  6. c#与C++类型转换网摘

    转载自 C++和C#转换 https://www.cnblogs.com/zjoch/p/4147182.html c#与C++类型转换,网摘 //c++:HANDLE(void   *)       ...

  7. ubuntu解决网易云无法打开

    最近首次入手ubuntu18 摸索了很久,当然网易云是不可缺少的一部分,在配置好各种环境+程序后,也找到了解决网易云的方法了. 首先安装好网易云 默认情况下需要在终端使用 sudo 才能运行 解决的办 ...

  8. Python入门及容易!网摘分享给大家!

    Python:Python学习总结 背景 PHP的$和->让人输入的手疼(PHP确实非常简洁和强大,适合WEB编程),Ruby的#.@.@@也好不到哪里(OO人员最该学习的一门语言). Pyth ...

  9. 采访ServiceStack的项目领导Demis Bellot——第1部分(网摘)

    ServiceStack是一个开源的.支持.NET与Mono平台的REST Web Services框架.InfoQ有幸与Demis Bellot深入地讨论了这个项目.在这篇两部分报道的第1部分中,我 ...

随机推荐

  1. 二分-C - Pie

    C - Pie My birthday is coming up and traditionally I'm serving pie. Not just one pie, no, I have a n ...

  2. 基于Linq表达式做的一个简单的表达式生成器

    using System; using System.Collections.Generic; using System.ComponentModel.DataAnnotations.Schema; ...

  3. ConsoleWindow中的双击日志定位

    很多项目都有自己重写Debug.Log的习惯,难免会遇到在Unity的Console窗口中双击日志, 但是没法直接跳转到想要看到的代码那一行的时候,解决办法有以下2种: 将自己封装的日志类制作成DLL ...

  4. 题解 【Codeforces387B】George and Round

    以下选自官方题解: 考虑困难的需求数量,我们将覆盖这些困难, 然后我们将提出新的问题,并准备新的问题来覆盖其他需求. 很明显,如果我们决定满足从n中抽取i的要求,那么最好采用那些复杂性最小的要求. 让 ...

  5. 调用百度地图api隐藏版权信息

    调用百度地图API隐藏右下角版权信息 商用的话建议不要隐藏,避免侵权. 隐藏前: 隐藏后: .BMap_cpyCtrl { display: none; } .anchorBL { display: ...

  6. zabbix4.2安装配置指南

    [声名]本实例中采用Linux CentOS 7系统 CentOS Linux release 7.6.1810 (Core) 1.安装LAMP环境: [root@localhost /]# yum ...

  7. calloc函数的使用和对内存free的认识

    #include<stdlib.h> void *calloc(size_t n, size_t size): free(); 目前的理解:  n是多少个这样的size,这样的使用类似有f ...

  8. 【转载】Java泛型(二)

    转自:http://www.cnblogs.com/lwbqqyumidi/p/3837629.html 一. 泛型概念的提出(为什么需要泛型)? 首先,我们看下下面这段简短的代码: 1 public ...

  9. 题解 UVA1335 【Beijing Guards】

    UVA1335 Beijing Guards 双倍经验:P4409 [ZJOI2006]皇帝的烦恼 如果只是一条链,第一个护卫不与最后一个护卫相邻,那么直接贪心,找出最大的相邻数的和. 当变成环,贪心 ...

  10. docker互联机制实现便捷互访

    何为容器互联 & 为何需要容器互联 容器的互联是一种让多个容器中应用进行快速交互的方式,它会在源和接收容器之间创建连接关系,接收容器可以通过容器名快速访问到源容器,而不用指定具体的 ip 地址 ...