The method of preventing XSRF attack by asynchronous request in ASP.net WebForm

In asp.net mvc, Microsoft has provided a way to prevent cross-domain attacks. How to prevent the xsrf attack from the traditional webfrom using handler to accept Ajax POST request data. Here's a simple way to do it, similar to MVC.

1. First of all, you need to install the following NuGet packages in your site. You can manually copy the DLL.

Install-package microsoft.aspnet.webpages-version 2.0.20710

The latest version of Razor is 3.0, and it relies on razor to install webpages, so the latest version of webpages cannot be installed for framework4.0 projects. You need to install version 2.0.

After the installation is complete, the following several DLLs are added:

2. Configure Web.config to generate hidden token.

The following configuration needs to be added under the system.web node:

After you have configured the node, you need to add a token build field to the background code of the. aspx page, and if you have a base class, you can include that part in the base class.

We added the attribute token and then used antiforgery.gethtml () to generate a hidden token. Then bind the token in the page.

<%=token%>

3. Create a handler that receives AJAX requests and adds code to prevent spoofed page submissions.

4. Create an AJAX request with token.

This will prevent your asynchronous request from being XSRF attack.

PS: For many sites, there will be a child domain name, or a common use of a cookie multiple sites, it is easy to understand the point of technology users across the site to forge requests.

Microsoft open source A lot of the code of. NET, if you want to see the implementation principle above, then can go to download code to view.