我有一个 ASP MVC 网站,它通过 JSON 编码中的 ajax 使用 wcf 服务。是否有任何方法可以将防伪令牌与 ajax <--> wcf 服务一起使用?
这是它在 asp mvc 应用程序中的使用方式。 http://weblogs.asp.net/dixin/archive/2010/05/22/anti-forgery-request-recipes-for-asp-net-mvc-and-ajax.aspx
问问题
2977 次
1 回答
0
Anti Forgery Token I'm sure your aware is available by default in the MVC framework , you are using Ajax to WCF which really doesn't have anything to do with MVC except for concept your outlining.
You’re going done a long road to provide a security Ajax call via a MVC view to a WCF service.
First you'll need to use a Ajax Anti Forgery token implementation, please see below for links. You'll also need a database to manage your WCF tokens with an expiration date.
You'll need on load to dump out the WCF token and on every WCF request pass the token. the token will validated against the database. If the token has expired you'll need do another Ajax request with the AJAX Anti Forgery token to generate a new WCF token return the token and use this in your WCF Ajax request.
In conclusion you'll have two token one to validate your Ajax requests to your MVC controllers and the other for WCF requests.This approach will provide you with a secure request model to decrease the chance of a CSRF.
more about CSRF: http://www.troyhunt.com/2010/11/owasp-top-10-for-net-developers-part-5.html
MVC Ajax anit Forgery token: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
Hopefully this helps.
于 2012-02-24T05:33:36.700 回答