ajax中加上AntiForgeryToken防止CSRF攻击

@model WebApplication1.Controllers.Person@{ ???ViewBag.Title = "Index";}<h2>Index</h2><form id="form1"> ???<div class="form-horizontal"> ???????<h4>Persen</h4> ???????<hr /> ???????@Html.ValidationSummary(true, "", new { @class = "text-danger" }) ???????<div class="form-group"> ???????????@Html.LabelFor(model => model.Name, htmlAttributes: new { @class = "control-label col-md-2" }) ???????????<div class="col-md-10"> ???????????????@Html.EditorFor(model => model.Name, new { htmlAttributes = new { @class = "form-control" } }) ???????????????@Html.ValidationMessageFor(model => model.Name, "", new { @class = "text-danger" }) ???????????</div> ???????</div> ???????<div class="form-group"> ???????????@Html.LabelFor(model => model.Age, htmlAttributes: new { @class = "control-label col-md-2" }) ???????????<div class="col-md-10"> ???????????????@Html.EditorFor(model => model.Age, new { htmlAttributes = new { @class = "form-control" } }) ???????????????@Html.ValidationMessageFor(model => model.Age, "", new { @class = "text-danger" }) ???????????</div> ???????</div> ???????<div class="form-group"> ???????????<div class="col-md-offset-2 col-md-10"> ???????????????<input type="button" id="save" value="Create" class="btn btn-default" /> ???????????</div> ???????</div> ???</div></form><script src="~/Scripts/jquery-1.10.2.min.js"></script><script src="~/Scripts/jquery.validate.min.js"></script><script src="~/Scripts/jquery.validate.unobtrusive.min.js"></script><script type="text/javascript"> ???$(function () { ???????//var token = $(‘[name=__RequestVerificationToken]‘); ???????//获取防伪标记 ???????var token = $(‘@Html.AntiForgeryToken()‘).val(); ???????var headers = {}; ???????//防伪标记放入headers ???????//也可以将防伪标记放入data ???????headers["__RequestVerificationToken"] = token; ???????????$("#save").click(function () { ???????????$.ajax({ ???????????????type: ‘POST‘, ???????????????url: ‘/Home/Index‘, ???????????????cache: false, ???????????????headers: headers, ???????????????data: { Name: "yangwen", Age: "1" }, ???????????????success: function (data) { ???????????????????alert(data) ???????????????}, ???????????????error: function () { ???????????????????alert("Error") ???????????????} ???????????}); ???????}) ???})</script>

using System;using System.Collections.Generic;using System.Linq;using System.Net;using System.Web;using System.Web.Helpers;using System.Web.Mvc;namespace WebApplication1.Controllers ???{ ???public class HomeController : Controller ???????{ ???????public ActionResult Index() ???????????{ ???????????return View(); ???????????} ????[HttpPost] ????[MyValidateAntiForgeryToken] ???????public ActionResult Index(Person p) ???????????{ ???????????return Json(true, JsonRequestBehavior.AllowGet); ???????????} ???????} ???public class Person ???????{ ???????public string Name { get; set; } ???????public int Age { get; set; } ???????} ???public class MyValidateAntiForgeryToken : AuthorizeAttribute ???????{ ???????public override void OnAuthorization(AuthorizationContext filterContext) ???????????{ ???????????var request = filterContext.HttpContext.Request; ???????????????????????if (request.HttpMethod == WebRequestMethods.Http.Post) ???????????????{ ?????????????????????????if (request.IsAjaxRequest()) ???????????????????{ ???????????????????var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName]; ???????????????????var cookieValue = antiForgeryCookie != null ???????????????????????? antiForgeryCookie.Value ???????????????????????: null; ???????????????????//从cookies 和 Headers 中 验证防伪标记 ???????????????????//这里可以加try-catch ???????????????????AntiForgery.Validate(cookieValue, request.Headers["__RequestVerificationToken"]); ???????????????????} ???????????????else ???????????????????{ ???????????????????new ValidateAntiForgeryTokenAttribute() ???????????????????????.OnAuthorization(filterContext); ???????????????????} ???????????????} ???????????} ???????} ???}

$(function () { ???????//var token = $(‘[name=__RequestVerificationToken]‘); ???????//获取防伪标记 ???????var token = $(‘@Html.AntiForgeryToken()‘).val(); ???????var headers = {}; ???????//防伪标记放入headers ???????//也可以将防伪标记放入data ???????headers["__RequestVerificationToken"] = token+11111111111111111111111111111111111; ???????$("#save").click(function () { ???????????$.ajax({ ???????????????type: ‘POST‘, ???????????????url: ‘/Home/Index‘, ???????????????cache: false, ??????????????headers: headers, ???????????????data: { Name: "yangwen", Age: "1" }, ???????????????success: function (data) { ???????????????????alert(data) ???????????????}, ???????????????error: function () { ???????????????????alert("Error") ???????????????} ???????????}); ???????}) ???})