1

i have implemented AntiForgeryToken in my form. it is working. now i want to invalidate from out side just for testing purpose because i need to see what will happen when AntiForgeryToken will be tamper ?

so guide me how to invalidate/tamper my AntiForgeryToken to see what exception will be generated. also guide me how to capture that exception from action method and redirect user to a another page with friendly message.

couple of question about AntiForgeryToken

1) i also like to know in details how AntiForgeryToken works ?

2) does AntiForgeryToken generate unique value for each request ? if yes then why ?

3) a web site may have many pages. so just guide me with few example of those page or form where AntiForgeryToken need to implemented ?

4) can i write multiple AntiForgeryToken in a same form....if not why? looking for good discussion.

thanks

4

1 回答 1

1

在提交表单之前,通过修改或删除 __RequestVerificationToken cookie 来使 cookie 失效。

  1. 我无法比史蒂夫·桑德森更好地解释它。
  2. 一旦设置了 cookie,它将在用户的浏览会话中重复使用。您可以加盐令牌,因此对于不同的形式有不同的令牌。我看不出有任何理由不将其应用于所有帖子表单和操作。
  3. 任何基于用户输入(数据库、用户会话等)修改状态的操作都应该使用这种技术进行保护。
  4. 一个表单回发只需要一个令牌。再发布将不会提供任何额外的安全性,并且可能会破坏 MVC。
于 2013-09-24T19:22:38.693 回答