[MVC arrangement] 4.asp.net MVC how to prevent csrf attacks

What is a csrf attack?

Csrf (Cross-Site Request Forgery, also known as "one click attack" or session riding, usually abbreviated as csrf or xsrf, is a type of malicious use of websites. Although it sounds like XSS, it is very different from XSS, and the attack method is almost different. XSS uses trusted users in the site, while csrf uses trusted websites by disguising requests from trusted users. Compared with XSS attacks, csrf attacks are often less popular (so the resources to prevent them are quite scarce) and difficult to prevent. Therefore, XSS attacks are considered to be more dangerous than XSS attacks.

Http://baike.baidu.com/view/1609487.htm

Csrf attack scenarios:

Csrf attacks depend on the following assumptions:

Attackers understand the victim's site.

The attacker's target site has a persistent authorization cookie or the victim has the current session cookie.

The target site does not have a second authorization for user behavior on the website

Asp.net MVC provides the following built-in methods to defend against csrf:

1. Use

<% = Html. antiforgerytoken () %>

For example:

<% Using (HTML. beginform ("login", "admin", forw.hod. post) {%> <% = html. antiforgerytoken () %> <% = html. validationsummary (true, "Logon Failed. Correct the error and try again. ") %> <Div> <fieldset> <legend> account information </legend> <Div class =" editor-label "> <% = html. labelfor (M => M. username) %> </div> <Div class = "editor-field"> <% = html. textboxfor (M => M. username) %> <% = html. validationmessagefor (M => M. username) %> <label id = "usernametip"> </label> </div> <Div class = "editor-label"> <% = html. labelfor (M => M. password) %> </div> <Div class = "editor-field"> <% = html. passwordfor (M => M. password) %> <% = html. validationmessagefor (M => M. password) %> </div> <p> <input type = "Submit" value = "Logon"/> </P> </fieldset> </div> <%} %>

2. d. Use [validateantiforgerytoken] to identify the corresponding action:

 
[Httppost] [validateantiforgerytoken] public actionresult login (USR) {If (modelstate. isvalid) {VAR model = dB. context. single <USR> (P => P. systemuser = true & P. username = USR. username & P. password = USR. password); If (model! = NULL) {authenticate. login (USR. username, USR. role); return redirecttoaction ("userlist", "admin");} else {modelstate. the user name or password provided by addmodelerror ("", "is incorrect. ") ;}} Return view (usr );}
 

 

In fact, we found that Asp.net MVC helped us a lot.