joh*_* Gu 13 antiforgerytoken asp.net-mvc-3
我有以下ajax.actionlink调用Delete action method删除对象: -
@if (!item.IsAlreadyAssigned(item.LabTestID))
{
string i = "Are You sure You want to delete (" + @item.Description.ToString() + ") ?";
@Ajax.ActionLink("Delete",
"Delete", "LabTest",
new { id = item.LabTestID },
new AjaxOptions
{ Confirm = i,
HttpMethod = "Post",
OnSuccess = "deletionconfirmation",
OnFailure = "deletionerror"
})
}
但有一个办法,包括@Html.AntiForgeryToken()与Ajax.actionlink删除通话,以确保没有任何攻击者可以通过发送虚假的删除请求?
BR
Dar*_*rov 16
您需要使用Html.AntiForgeryToken设置cookie 的助手并发出具有相同值的隐藏字段.发送AJAX请求时,您还需要将此值添加到POST数据中.
所以我会使用普通链接而不是Ajax链接:
@Html.ActionLink(
"Delete",
"Delete",
"LabTest",
new {
id = item.LabTestID
},
new {
@class = "delete",
data_confirm = "Are You sure You want to delete (" + item.Description.ToString() + ") ?"
}
)
然后将隐藏字段放在DOM中的某个位置(例如在关闭正文标记之前):
@Html.AntiForgeryToken()
最后不引人注意地AJAXify删除锚点:
$(function () {
$('.delete').click(function () {
if (!confirm($(this).data('confirm'))) {
return false;
}
var token = $(':input:hidden[name*="RequestVerificationToken"]');
var data = { };
data[token.attr('name')] = token.val();
$.ajax({
url: this.href,
type: 'POST',
data: data,
success: function (result) {
},
error: function () {
}
});
return false;
});
});
现在,您可以Delete使用以下ValidateAntiForgeryToken属性修饰您的操作:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Delete(int id)
{
...
}
| 归档时间: |
|
| 查看次数: |
11995 次 |
| 最近记录: |