本文翻译自:ValidateAntiForgeryToken purpose, explanation and example
Could you explain ValidateAntiForgeryToken purpose and show me example about ValidateAntiForgeryToken
in MVC 4? 您能否解释ValidateAntiForgeryToken的用途,并向我展示有关MVC 4中ValidateAntiForgeryToken
示例?
I could not find any examples which explain this attribute? 我找不到解释此属性的任何示例?
#1楼
参考:https://stackoom.com/question/v9gc/ValidateAntiForgeryToken的用途-解释和示例
#2楼
MVC's anti-forgery support writes a unique value to an HTTP-only cookie and then the same value is written to the form. MVC的防伪支持将唯一值写入仅HTTP的cookie,然后将相同的值写入表单。 When the page is submitted, an error is raised if the cookie value doesn't match the form value. 提交页面后,如果Cookie值与表单值不匹配,则会引发错误。
It's important to note that the feature prevents cross site request forgeries . 请务必注意,该功能可防止跨站点请求伪造 。 That is, a form from another site that posts to your site in an attempt to submit hidden content using an authenticated user's credentials. 也就是说,来自另一个站点的表单会发布到您的站点,以尝试使用经过身份验证的用户的凭据提交隐藏的内容。 The attack involves tricking the logged in user into submitting a form, or by simply programmatically triggering a form when the page loads. 攻击包括诱使已登录的用户提交表单,或者仅在页面加载时以编程方式触发表单。
The feature doesn't prevent any other type of data forgery or tampering based attacks. 该功能不会阻止任何其他类型的数据伪造或基于篡改的攻击。
To use it, decorate the action method or controller with the ValidateAntiForgeryToken
attribute and place a call to @Html.AntiForgeryToken()
in the forms posting to the method. 要使用它,请用ValidateAntiForgeryToken
属性装饰动作方法或控制器,并在张贴到方法的表单中调用