[Security] Automatically adding CSRF tokens to ajax calls when using jQuery--转
2014-03-18 11:57
417 查看
地址:http://erlend.oftedal.no/blog/?blogid=118
When building a ajax based application, you want to protect any POST request against CSRF attacks. If you are using jQuery, then jQuery provides a lot of convenience methods for ajax calls (
To use this token with jQuery, you need to make it available to javascript. You typically do this by adding it as a javascript variable.
Next, the trick is to bind to the global
In the example above I add the token as a request header, but you could optionally add it as a form post parameter in stead.
When building a ajax based application, you want to protect any POST request against CSRF attacks. If you are using jQuery, then jQuery provides a lot of convenience methods for ajax calls (
$.get(), $.post(), $.getJSON()etc.) and it would be a shame if you would have to duplicate adding CSRF tokens to all your ajax calls manually or by going back to
$.ajax(), because the convenience method didn't support the way you wanted to add the token. But jQuery, being the customizable framework it is, of course allows you to add these kinds of things through events.
Session based tokens
If you are using session based tokens, you probably generate a secure token when generating the session, and store that token in the session. When a request comes back to the server, you check that the token is included in the request and compare it to what's in the session. If it's the same token, you accept the request, if not you reject it.To use this token with jQuery, you need to make it available to javascript. You typically do this by adding it as a javascript variable.
var csrf_token = '<%= token_value %>';
Next, the trick is to bind to the global
ajaxSendevent, and add the token to any POST request
$("body").bind("ajaxSend", function(elm, xhr, s){ if (s.type == "POST") { xhr.setRequestHeader('X-CSRF-Token', csrf_token); } });
In the example above I add the token as a request header, but you could optionally add it as a form post parameter in stead.
Double-submit of cookie
When using double submit of cookie, you adjust the example above to extract the value ofcsrf_tokenfrom the cookies instead.
Update: Bug in jQuery 1.5.0
This does not work in jQuery 1.5.0 because of bug 8360. Looks like it will be fixed in 1.5.1. Works in 1.4.4.相关文章推荐
- Using JQuery to perform Ajax calls in ASP.NET MVC
- Using jQuery to directly call ASP.NET AJAX page methods
- using iscroll.js and iscroll jquery plugin in android webview to scroll div and ajax load data.
- 5 Ways to Make Ajax Calls with jQuery
- 转 Using $.ajaxPrefilter() To Configure AJAX Requests In jQuery 1.5
- Send and Receive JSON objects to Web Service Methods using jQuery AJAX in ASP.Net
- Using $.ajaxPrefilter() To Configure AJAX Requests In jQuery 1.5
- Many ways to communicate with your database using jQuery AJAX and ASP.NET
- How to use jquery ajax and android request security RESTful WCF
- when jquery.ajax() call wcf,if success,how to use wcf return value?
- What is the best way to handle Invalid CSRF token found in the request when session times out in Spring security
- how to display a loading gif when using jquery ui dialog iframe
- Implementing Ajax in Java web application using JQuery
- Using caspol.exe to change .NET security policy - done right
- 4 Steps to Consume Web Services using Ajax
- solution to display [PAGETITLE] when using smculloch's skin for dotnetnuke
- django用jquery的ajax提交表单,中间件的CsrfViewMiddleware问题
- How to find the log I want when using 'git log'
- 使用jQuery中的when实现多个AJAX请求对应单个回调的例子分享
- How to solve the libmount dependency when building BSP using ptxdist