MVC prevents CSRF attacks

Maybe most of us do not pay much attention to this problem when we do the web, but this is a very important point. When we write code to write business, we should think about it in every way.

First, let's start with a brief introduction of what is CSRF.

CSRF cross-site request forgery in Chinese means cross-site requests forgery. Unlike cross-site scripting XSS, XSS is characterized by the use of trusted users in the site to embed code into pages that are available to other users, but CSRF is characterized by using your identity to make requests that are considered legitimate by the server. Maybe many of us will appear QQ space is inexplicable send a lot of advertising information, his process is for example we landed a website, some of the authentication information to save cookies, because the session is based on the mechanism of cookies, when others get these cookies You can use cookies to do what the service believes to be legitimate, to send advertising posts or something.

There are many ways to prevent this by Validateantiforgerytoken this feature in MVC. While this feature is only for post requests, this feature is intended to prevent forgery requests. The code is as follows:

        [HttpPost]        [ValidateInput (false)]        [Validateantiforgerytoken]        Public ActionResult Login (String name,string pwd)        {            if (name==pwd)            {                return redirecttoaction ("Index" );            }            Modelstate.addmodelerror ("", "username password is wrong! ");            return View ();        }

When we construct a request, the form commits, it throws such an error message

In fact, to this step our initial goal is achieved, in this site, we submit the form, we need to use to Html.antiforgerytoken ()

This thing is written in our form tag, and his role is to add a hidden tag with the name __requestverificationtoken in the form tag, and the value of this tag is a string of encrypted strings.

The machinekey is an encryption device. At the same time, this thing also generates a cookie named __requestverificationtoken.

  @using (Html.BeginForm ("Login", "Home", FormMethod.Post))        {            @Html. AntiForgeryToken ()            @ Html.validationsummary (True)            <div class= "Form-group" >                <label class= "Label-danger" > User name: </ label>                <input type= "text" name= "name"/>            </div>            <div class= "Form-group" >                <label class= "Label-danger" > Password:</label>                <input type= "text" name= "pwd"/>            </div>            <div class= "Form-group" >                <button type= "Submit" class= "Btn-primary" > Login </button>            </div>        }

　　

At this point we can construct legitimate and relatively secure requests.

To summarize, CSRF is someone who uses your identity for malicious action.

And our response in MVC is not to use @Html in form forms. AntiForgeryToken ()

The trick is to use machinekey encryption to generate a hidden tag and write a cookie.

Inside the controller, the action is added to the [Validateantiforgerytoken] feature to verify.

This is the process.

MVC prevents CSRF attacks