ABP (. Netcore) Development and release Process 2

In the ABP (. Netcore) has encountered many problems during the development process, and today records the ABP's anti-CSRF function (antiforgerytoken ),

Background knowledge.

AntiForgeryToken can be said to be a treatment/prevention CSRF solution.

So what is CSRF?

CSRF (Cross-site request forgery) is a cross-site solicitation forgery , also known as one Click attack or session Riding, usually abbreviated as CSRF or XSRF, which is a malicious use of the site.

The simple thing to understand is that someone stole your identity and sent a malicious request in your name.

In recent years, csrf in a tepid position, but still have to be careful to guard against this!

The ABP is enabled by default for anti-CSRF, see the Startup class for details,

However, it was later found that even if you do not add @html.antiforgerytoken () to the form, you can request success, for example

1.$.ajax do not set the @Html when using Jquery.ajax. AntiForgeryToken ()

note that when requesting the controller's post method, you need to make ContentType = ' application/x-www-form-urlencoded ', which should be. Strange characteristics of Netcore. If ContentType = ' Application/json ', then the controller's method should be set to [Formbody]

If you do not do this, the background is not receiving a value.

　　

2.abp.ajax () method, Abp.ajax an object as the Receive option. You can pass any parameters in the $.ajax method of jquery. Default value: DataType: ' JSON ', type: ' POST ', ContentType: ' Application/json ',

　　

You can also use Abp.ajax without setting the @Html. AntiForgeryToken ()

What is this for? Originally Abp.js added requestverificationtoken to our request header when we requested it, with the name "X-xsrf-token"

View the source code of the ABP, set the definition of Tokencookiename and tokenheadername in Abpantiforgeryconfiguration. One is the name of token when it is stored in a cookie, and the name that token is transmitted in the request header.

And in Abpaspnetcoremodule, Requestverificationtoken's name is "X-xsrf-token". (This is another way of verifying that Microsoft defines that the token value is not transferred and obtained from the form, but is taken from the request header.) The default name is "Requestverificationtoken" and of course you can customize it. ）

Of course, the token value is obtained in Abpaspnetcoreantiforgerymanager, the source code is as follows.

It then adds an extension method to Iabpantiforgerymanager: Setcookie

Finally, this method is called in our account/_layout.cshtml and shared\_layout.cshtml:

This is why during the project testing phase, if the request after skipping the account/_layout.cshtml and shared\_layout.cshtml steps does not succeed (only 400 errors are reported).

Why not set the @Html when using Abp.ajax or $.ajax. AntiForgeryToken ()?

Next, let's see abp.js.

In the Abp.jquery.js,

the Ajaxsend () method executes the function at the beginning of the AJAX request. It is an Ajax event. This means that the ABP adds "X-xsrf-token" to our request header before each AJAX request.

This is the AntiForgeryToken acquisition and validation system for a complete set of ABP.

ABP (. Netcore) Development and release Process 2