/// <summary> /// 验证请求 /// </summary> /// <param name="context"></param> /// <param name="salt"></param> public void Validate(HttpContext context, string salt) { string formTokenName = AntiForgeryData.GetAntiForgeryTokenName(null); string cookieTokenName = AntiForgeryData.GetAntiForgeryTokenName(context.Request.ApplicationPath); HttpCookie httpCookie = context.Request.Cookies[cookieTokenName]; if (httpCookie == null || string.IsNullOrEmpty(httpCookie.Value)) { throw AntiForgeryWorker.CreateValidationException(); } AntiForgeryData cookieAntiForgeryData = this.Serializer.Deserialize(httpCookie.Value);//从客户端cookie传来的防伪标识 string text = context.Request.Form[formTokenName]; if (string.IsNullOrEmpty(text)) { throw AntiForgeryWorker.CreateValidationException(); } AntiForgeryData formAntiForgeryData = this.Serializer.Deserialize(text);//从表单里面传递过来的防伪标识 if (!string.Equals(cookieAntiForgeryData.Value, formAntiForgeryData.Value, StringComparison.Ordinal)) { throw AntiForgeryWorker.CreateValidationException(); } string username = AntiForgeryData.GetUsername(context.User);//当前的用户名 if (!string.Equals(formAntiForgeryData.Username, username, StringComparison.OrdinalIgnoreCase)) { throw AntiForgeryWorker.CreateValidationException(); } if (!string.Equals(salt ?? string.Empty, formAntiForgeryData.Salt, StringComparison.Ordinal)) { throw AntiForgeryWorker.CreateValidationException(); } }
/// <summary> /// 获取新的防伪票据 /// </summary> /// <returns></returns> public static AntiForgeryData NewToken() { return(new AntiForgeryData { Value = AntiForgeryData.GenerateRandomTokenString() }); }
/// <summary> /// 反序列化 防伪数据 /// </summary> /// <param name="serializedTicket"></param> /// <returns></returns> internal static AntiForgeryData Deserializer(byte[] serializedTicket) { AntiForgeryData result; try { using (MemoryStream memoryStream = new MemoryStream(serializedTicket)) { using (SerializingBinaryReader serializingBinaryReader = new SerializingBinaryReader(memoryStream)) { byte b = serializingBinaryReader.ReadByte(); if (b != 1) { result = null; } else { result = new AntiForgeryData { Salt = serializingBinaryReader.ReadBinaryString(), Value = serializingBinaryReader.ReadBinaryString(), CreationDate = new DateTime(serializingBinaryReader.ReadInt64()), Username = serializingBinaryReader.ReadBinaryString() }; } } } } catch { result = null; } return(result); }
/// <summary> /// 获取防伪票据的名称 /// </summary> /// <param name="appPath"></param> /// <returns></returns> internal static string GetAntiForgeryTokenName(string appPath) { if (string.IsNullOrEmpty(appPath)) { return("__RequestVerificationToken"); } return("__RequestVerificationToken_" + AntiForgeryData.Base64EncodeForCookieName(appPath)); }
/// <summary> /// 序列化防伪数据 /// </summary> /// <param name="token"></param> /// <returns></returns> public virtual string Serialize(AntiForgeryData token) { if (token == null) { throw new ArgumentNullException("token"); } return(FormsAuthentication.Encrypt(token.ConvertToFormsTicket())); }
/// <summary> /// 创建 AntiForgeryData 对象 /// </summary> /// <param name="token"></param> public AntiForgeryData(AntiForgeryData token) { if (token == null) { throw new ArgumentNullException("token"); } this.CreationDate = token.CreationDate; this.Salt = token.Salt; this.Username = token.Username; this.Value = token.Value; }
/// <summary> /// 给页面打上防伪标识 /// </summary> /// <param name="httpContext"></param> /// <param name="salt"></param> /// <param name="domain"></param> /// <param name="path"></param> /// <returns></returns> public String GetHtml(HttpContext httpContext, string salt, string domain, string path) { string antiForgeryTokenAndSetCookie = this.GetAntiForgeryTokenAndSetCookie(httpContext, salt, domain, path); string antiForgeryTokenName = AntiForgeryData.GetAntiForgeryTokenName(null); TagBuilder tagBuilder = new TagBuilder("input"); tagBuilder.Attributes["type"] = "hidden"; tagBuilder.Attributes["name"] = antiForgeryTokenName; tagBuilder.Attributes["value"] = antiForgeryTokenAndSetCookie; return(tagBuilder.ToString(TagRenderMode.SelfClosing)); }
/// <summary> /// 序列化防伪数据 /// </summary> /// <param name="token"></param> /// <returns></returns> internal static byte[] Serializer(AntiForgeryData token) { byte[] result; using (MemoryStream memoryStream = new MemoryStream()) { using (SerializingBinaryWriter serializingBinaryWriter = new SerializingBinaryWriter(memoryStream)) { serializingBinaryWriter.WriteBinaryString(token.Salt); serializingBinaryWriter.WriteBinaryString(token.Value); serializingBinaryWriter.Write(token.CreationDate.Ticks); serializingBinaryWriter.WriteBinaryString(token.Username); result = memoryStream.ToArray(); } } return(result); }
/// <summary> /// 获取、设置防伪标识 /// </summary> /// <param name="httpContext"></param> /// <param name="salt"></param> /// <param name="domain"></param> /// <param name="path"></param> /// <returns></returns> private string GetAntiForgeryTokenAndSetCookie(HttpContext httpContext, string salt, string domain, string path) { string antiForgeryTokenName = AntiForgeryData.GetAntiForgeryTokenName(httpContext.Request.ApplicationPath); AntiForgeryData antiForgeryData = null; HttpCookie httpCookie = httpContext.Request.Cookies[antiForgeryTokenName]; if (httpCookie != null) { try { antiForgeryData = this.Serializer.Deserialize(httpCookie.Value); } catch { } } if (antiForgeryData == null) { antiForgeryData = AntiForgeryData.NewToken(); string value = this.Serializer.Serialize(antiForgeryData); HttpCookie httpCookie2 = new HttpCookie(antiForgeryTokenName, value) { HttpOnly = true, Domain = domain }; if (!string.IsNullOrEmpty(path)) { httpCookie2.Path = path; } httpContext.Response.Cookies.Set(httpCookie2); } AntiForgeryData token = new AntiForgeryData(antiForgeryData) { Salt = salt, Username = AntiForgeryData.GetUsername(httpContext.User) }; return(this.Serializer.Serialize(token)); }