Asp.net MVC 3 防止 Cross-Site Request Forgery (CSRF)原理及扩展

[code][HttpPost]

publicActionResultSubmit(FormCollectionfc)

{

if(!string.IsNullOrEmpty(fc["Title"]))

{

ViewBag.Message="Submitsuccess!";

returnView("Index");

}

returnView("Error");

}

[code]@using(Html.BeginForm("Submit","Home"))

{

@Html.TextBox("Title","text");

<inputtype="submit"value="Submit"id="sb1"/>

}

[code]<formaction="/Home/Submit2"method="post">

<inputname="__RequestVerificationToken"type="hidden"

value="WiB+H5TNp6V27ALYB3z/1nkD9BLaZIBbWQOBEllj2R/+MkGZqOjLbIof2MJeEoyUJV2ljujNR4etYV6idzji

G4+JL77P9qmeewc4Erh8LnMBHX6zLas2L67GDhvCom0dpiDZl0cH+PykIC/R+HYzEIUTK/thXuF8OUtLwIfKdly0650U

3I7MD6/cIc5aersJBMZ/p6gv76gc6nvKJDt2w0eMy3tkEfAcnNPTdeWr59Ns+48gsGpZ2GSh6G+Uh7rb"/>

<inputid="Title"name="Title"type="text"value="text"/>

<br/><inputtype="submit"value="Submit"id="sb1"/>

[code]publicHtmlStringGetHtml(HttpContextBasehttpContext,stringsalt,stringdomain,stringpath)

{

Debug.Assert(httpContext!=null);

stringformValue=GetAntiForgeryTokenAndSetCookie(httpContext,salt,domain,path);

stringfieldName=AntiForgeryData.GetAntiForgeryTokenName(null);

TagBuilderbuilder=newTagBuilder("input");

builder.Attributes["type"]="hidden";

builder.Attributes["name"]=fieldName;

builder.Attributes["value"]=formValue;

returnnewHtmlString(builder.ToString(TagRenderMode.SelfClosing));

}

__RequestVerificationToken_Lw__=T37bfAdCkz0o1iXbAvH4v0bdpGQxfZP2PI5aTJgLL

/Yhr3128FUY+fvUPApBqz7CGd2uxPiW+lsZ5tvRbeLSetARbHGxPRqiw4LZiPpWrpU9XY8NO4aZzNAdMe+l3q5EMw2iIFB/6UfriWxD7X7n

/8P43LJ4tkGgv6BbrGWmKFo=

更多细节，请查询源代码。然后在Action上增加[ValidateAntiForgeryToken]就可以了，它是这样工作的:

[code]publicvoidValidate(HttpContextBasecontext,stringsalt){

Debug.Assert(context!=null);

stringfieldName=AntiForgeryData.GetAntiForgeryTokenName(null);

stringcookieName=AntiForgeryData.GetAntiForgeryTokenName(context.Request.ApplicationPath);

HttpCookiecookie=context.Request.Cookies[cookieName];

if(cookie==null||String.IsNullOrEmpty(cookie.Value)){

//error:cookietokenismissing

throwCreateValidationException();

}

AntiForgeryDatacookieToken=Serializer.Deserialize(cookie.Value);

stringformValue=context.Request.Form[fieldName];

if(String.IsNullOrEmpty(formValue)){

//error:formtokenismissing

throwCreateValidationException();

}

AntiForgeryDataformToken=Serializer.Deserialize(formValue);

if(!String.Equals(cookieToken.Value,formToken.Value,StringComparison.Ordinal)){

//error:formtokendoesnotmatchcookietoken

throwCreateValidationException();

}

stringcurrentUsername=AntiForgeryData.GetUsername(context.User);

if(!String.Equals(formToken.Username,currentUsername,StringComparison.OrdinalIgnoreCase)){

//error:formtokenisnotvalidforthisuser

//(don'tcareaboutcookietoken)

throwCreateValidationException();

}

if(!String.Equals(salt??String.Empty,formToken.Salt,StringComparison.Ordinal)){

//error:customvalidationfailed

throwCreateValidationException();

}

}

[code]//verifysession

if(!String.Equals(formToken.SessionId,AntiForgeryData.GetGUIDString(),StringComparison.Ordinal))

{

throwCreateValidationException();

}

[code]internalclassAntiForgeryDataSerializer

{

[SuppressMessage("Microsoft.Usage","CA2202:Donotdisposeobjectsmultipletimes",Justification="MemoryStreamisresilienttodouble-Dispose")]

publicvirtualAntiForgeryDataDeserialize(stringserializedToken)

{

if(String.IsNullOrEmpty(serializedToken))

{

thrownewArgumentException("Argument_Cannot_Be_Null_Or_Empty","serializedToken");

}

try

{

using(MemoryStreamstream=newMemoryStream(Decoder(serializedToken)))

using(BinaryReaderreader=newBinaryReader(stream))

{

returnnewAntiForgeryData

{

Salt=reader.ReadString(),

Value=reader.ReadString(),

CreationDate=newDateTime(reader.ReadInt64()),

Username=reader.ReadString(),

SessionId=reader.ReadString()

};

}

}

catch(Exceptionex)

{

thrownewSystem.Web.Mvc.HttpAntiForgeryException("AntiForgeryToken_ValidationFailed",ex);

}

}

[SuppressMessage("Microsoft.Usage","CA2202:Donotdisposeobjectsmultipletimes",Justification="MemoryStreamisresilienttodouble-Dispose")]

publicvirtualstringSerialize(AntiForgeryDatatoken)

{

if(token==null)

{

thrownewArgumentNullException("token");

}

using(MemoryStreamstream=newMemoryStream())

using(BinaryWriterwriter=newBinaryWriter(stream))

{

writer.Write(token.Salt);

writer.Write(token.Value);

writer.Write(token.CreationDate.Ticks);

writer.Write(token.Username);

writer.Write(token.SessionId);

returnEncoder(stream.ToArray());

}

}

}

[code]@using(Html.BeginForm("Submit2","Home"))

{

@Html.AntiForgeryToken(DebugMvc.Controllers.Config.SALT);

@Html.TextBox("Title","text");

<br/>

<inputtype="submit"value="Submit"id="sb1"/>

}

[code][HttpPost]

[ValidateAntiForgeryToken(Salt=Config.SALT)]

publicActionResultSubmit2(FormCollectionfc)

{

if(!string.IsNullOrEmpty(fc["Title"]))

{

ViewBag.Message="Submitsuccess!";

returnView("Index");

}

returnView("Error");

}

[code]配置类:
publicclassConfig

{

publicconststringSALT="Whyyouarehere";

}

[code]publicclassMySessionModule:IHttpModule

{

#regionIHttpModuleMembers

publicvoidDispose(){}

publicvoidInit(HttpApplicationcontext)

{

context.AcquireRequestState+=newEventHandler(this.AcquireRequestState);

}

#endregion

protectedvoidAcquireRequestState(objectsender,EventArgse)

{

HttpApplicationhttpApp=(HttpApplication)sender;

if(httpApp.Context.CurrentHandlerisIRequiresSessionState)

{

if(httpApp.Session.IsNewSession)

{

httpApp.Session["GUID"]=Guid.NewGuid();

}

}

}

}

AntiForgeryToken_ValidationFailed

[code]namespaceDebugMvc.Ut

{

usingSystem;

usingSystem.Collections.Generic;

usingSystem.Linq;

usingSystem.Web;

usingMicrosoft.VisualStudio.TestTools.UnitTesting;

usingDebugMvc.Controllers;

usingSystem.Web.Mvc;

usingMoq;

usingSystem.Collections.Specialized;

usingMatch=System.Text.RegularExpressions.Match;

usingSystem.Text.RegularExpressions;

usingSystem.Globalization;

[TestClass]

publicclassUnitTestForAll

{

privatestaticstring_antiForgeryTokenCookieName=AntiForgeryData.GetAntiForgeryTokenName("/SomeAppPath");

privateconststring_serializedValuePrefix=@"<inputname=""__RequestVerificationToken""type=""hidden""value=""Creation:";

privateconststring_someValueSuffix=@",Value:somevalue,Salt:someothersalt,Username:username""/>";

privatereadonlyRegex_randomFormValueSuffixRegex=newRegex(@",Value:(?<value>[A-Za-z0-9/\+=]{24}),Salt:someothersalt,Username:username""/>$");

privatereadonlyRegex_randomCookieValueSuffixRegex=newRegex(@",Value:(?<value>[A-Za-z0-9/\+=]{24}),Salt:");

[TestMethod]

publicvoidTestValidateAntiForgeryToken2Attribute()

{

//arrange

varmockHttpContext=newMock<HttpContextBase>();

varcontext=mockHttpContext.Object;

varauthorizationContextMock=newMock<AuthorizationContext>();

authorizationContextMock.SetupGet(ac=>ac.HttpContext).Returns(context);

boolvalidateCalled=false;

Action<HttpContextBase,string>validateMethod=(c,s)=>

{

Assert.AreSame(context,c);

Assert.AreEqual("somesalt",s);

validateCalled=true;

};

varattribute=newValidateAntiForgeryToken2Attribute(validateMethod)

{

Salt="somesalt"

};

//Act

attribute.OnAuthorization(authorizationContextMock.Object);

//Assert

Assert.IsTrue(validateCalled);

}

[TestMethod]

publicvoidGetHtml_ReturnsFormFieldAndSetsCookieValueIfDoesNotExist()

{

//Arrange

AntiForgeryWorkerworker=newAntiForgeryWorker()

{

Serializer=newDummyAntiForgeryTokenSerializer()

};

varcontext=CreateContext();

//Act

stringformValue=worker.GetHtml(context,"someothersalt",null,null).ToHtmlString();

//Assert

Assert.IsTrue(formValue.StartsWith(_serializedValuePrefix),"Formvalueprefixdidnotmatch.");

MatchformMatch=_randomFormValueSuffixRegex.Match(formValue);

stringformTokenValue=formMatch.Groups["value"].Value;

HttpCookiecookie=context.Response.Cookies[_antiForgeryTokenCookieName];

Assert.IsNotNull(cookie,"Cookiewasnotsetcorrectly.");

Assert.IsTrue(cookie.HttpOnly,"CookieshouldhaveHTTP-onlyflagset.");

Assert.IsTrue(String.IsNullOrEmpty(cookie.Domain),"Domainshouldnothavebeenset.");

Assert.AreEqual("/",cookie.Path,"Pathshouldhaveremainedat'/'bydefault.");

MatchcookieMatch=_randomCookieValueSuffixRegex.Match(cookie.Value);

stringcookieTokenValue=cookieMatch.Groups["value"].Value;

Assert.AreEqual(formTokenValue,cookieTokenValue,"Formandcookietokenvaluesdidnotmatch.");

}

privatestaticHttpContextBaseCreateContext(stringcookieValue=null,stringformValue=null,stringusername="username")

{

HttpCookieCollectionrequestCookies=newHttpCookieCollection();

if(!String.IsNullOrEmpty(cookieValue))

{

requestCookies.Set(newHttpCookie(_antiForgeryTokenCookieName,cookieValue));

}

NameValueCollectionformCollection=newNameValueCollection();

if(!String.IsNullOrEmpty(formValue))

{

formCollection.Set(AntiForgeryData.GetAntiForgeryTokenName(null),formValue);

}

Mock<HttpContextBase>mockContext=newMock<HttpContextBase>();

mockContext.Setup(c=>c.Request.ApplicationPath).Returns("/SomeAppPath");

mockContext.Setup(c=>c.Request.Cookies).Returns(requestCookies);

mockContext.Setup(c=>c.Request.Form).Returns(formCollection);

mockContext.Setup(c=>c.Response.Cookies).Returns(newHttpCookieCollection());

mockContext.Setup(c=>c.User.Identity.IsAuthenticated).Returns(true);

mockContext.Setup(c=>c.User.Identity.Name).Returns(username);

varsessionmock=newMock<HttpSessionStateBase>();

sessionmock.Setup(s=>s["GUID"]).Returns(Guid.NewGuid().ToString());

mockContext.Setup(c=>c.Session).Returns(sessionmock.Object);

returnmockContext.Object;

}

}

internalclassDummyAntiForgeryTokenSerializer:AntiForgeryDataSerializer

{

publicoverridestringSerialize(AntiForgeryDatatoken)

{

returnString.Format(CultureInfo.InvariantCulture,"Creation:{0},Value:{1},Salt:{2},Username:{3}",

token.CreationDate,token.Value,token.Salt,token.Username);

}

publicoverrideAntiForgeryDataDeserialize(stringserializedToken)

{

if(serializedToken=="invalid")

{

thrownewHttpAntiForgeryException();

}

string[]parts=serializedToken.Split(':');

returnnewAntiForgeryData()

{

CreationDate=DateTime.Parse(parts[0],CultureInfo.InvariantCulture),

Value=parts[1],

Salt=parts[2],

Username=parts[3]

};

}

}

}