ASP.NET MVC ?Ajax ?伪造请求

 ???/// <summary> ???/// 首页 ???/// </summary> ???public class HomeController : Controller ???{ ???????/// <summary> ???????/// 用户登录了111111 ???????/// </summary> ???????/// <returns></returns> ???????public ActionResult Index() ???????{ ???????????return View(); ???????} ???????/// <summary> ???????/// Your application description page. ???????/// </summary> ???????/// <returns></returns> ???????public ActionResult About() ???????{ ???????????ViewBag.Message = "Your application description page."; ???????????return View(); ???????} ???????/// <summary> ???????/// Your contact page. ???????/// </summary> ???????/// <param name="name">姓名</param> ???????/// <returns></returns> ???????public ActionResult Contact(string name) ???????{ ???????????ViewBag.Message = "Your contact page."; ???????????return View(); ???????} ???????/// <summary> ???????/// ????????/// </summary> ???????/// <returns></returns> ???????public ActionResult Person() ???????{ ???????????return View(); ???????} ???????/// <summary> ???????/// ????????/// </summary> ???????/// <param name="Name"></param> ???????/// <param name="Age"></param> ???????/// <returns></returns> ???????[HttpPost] ???????[AntiForgeryToken] ???????public ActionResult UserInfo(string Name,string Age) ???????{ ???????????return Json(Name + Age); ???????} ???}

<html><head> ???<meta name="viewport" content="width=device-width" /> ???<title>Person</title> ???<script src="~/Scripts/jquery-3.3.1.min.js"></script> ???<script src="~/Scripts/jquery.validate.js"></script> ???<script src="~/Scripts/jquery.validate.unobtrusive.js"></script></head><body> ???<form id="form1">
　　　　@*@Html.AntiForgeryToken()*@ ???????<div class="form-horizontal"> ???????????<div class="form-group"> ???????????????<div> ???????????????????姓名：<input type="text" name="name" value="" id="name" /> ???????????????????密码: ?<input type="text" name="age" value="" id="age" /> ???????????????</div> ???????????????<div class="col-md-offset-2 col-md-10"> ???????????????????<input type="button" id="save" value="Create" class="btn btn-default" /> ???????????????</div> ???????????</div> ???????</div> ???</form> ???<script> ???????$(function () { ????????????//获取防伪标记 ???????????var token = $(‘@Html.AntiForgeryToken()‘).val(); ???????????var headers = {}; ???????????//防伪标记放入headers ???????????//也可以将防伪标记放入data ???????????headers["__RequestVerificationToken"] = token; ???????????$("#save").click(function () { ???????????????$.ajax({ ???????????????????type: ‘POST‘, ???????????????????url: ‘/Home/UserInfo‘, ???????????????????cache: false, ???????????????????headers: headers, ???????????????????data: { Name: $("#name").val(), Age: $("#age").val() }, ???????????????????success: function (data) { ???????????????????????alert(data) ???????????????????}, ???????????????????error: function () { ???????????????????????alert("Error") ???????????????????} ???????????????}); ???????????}) ???????}); ???</script></body></html>

public class AntiForgeryToken : AuthorizeAttribute ???{ ???????/// <summary> ???????/// ????????/// </summary> ???????/// <param name="filterContext"></param> ???????public override void OnAuthorization(AuthorizationContext filterContext) ???????{ ???????????var request = filterContext.HttpContext.Request; ???????????if (request.IsAjaxRequest()) ???????????{ ???????????????var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName]; ???????????????var cookieValue = antiForgeryCookie != null ? antiForgeryCookie.Value : null; ???????????????var headerValue = request.Headers["__RequestVerificationToken"]; ???????????????//获取head中的值 ?如果为空直接拒绝不往下走 ???????????????if (string.IsNullOrEmpty(headerValue)) ???????????????{ ???????????????????base.OnAuthorization(filterContext); ???????????????????return; ???????????????} ???????????????//从cookies 和 Headers 中 验证防伪标记 ???????????????AntiForgery.Validate(cookieValue,headerValue); ???????????} ???????} ???}