//在View中
<script type="text/javascript">
@functions{ public string ToKenHeaderValue() { string cookieToken,fromToken; AntiForgery.GetTokens(null,out cookieToken,out fromToken); return cookieToken+":"+fromToken; }}$function({
......
$.ajax("api/Value",{ data:{...}, type:'post', dataType:'json', headers:{'RequestVerificationToKen':'@ToKenHeaderValue()'}, success:fucntion(data){....} })})</script> //自己写的过滤器public class MyValidateAntiForgeryToKenAttribute:FileterAttribute,IAuthorizationFilter{ private void ValidateRequestHeader(HttpRequestBase request) { string cookieToKen=""; string fromToKen=""; string tokenValue=request.Header["RequestVerificationToKen"]; if(!string.IsNullOrEmpty(tokenValue)) { string[] tokens=tokenValue.Split(':'); if(tokens.Length=2) { cookieToken=tokens[0].Trim(); fromToKen=tokens[1].Trim(); } } AntiForGery.Validate(cookieToken,fromToken); }}public void OnAuthiorization(AuthorizationContexte context)
{ try { if(context.HttpContext.Request.IsAjaxRequest())//判断是否ajax提交 { ValidateRequetHeader(context.HttpContext.Request); } else AntiForgery.Validate(); } catch { throw new HttpAntiForgeryException("..."); }
在Controller的Action中
1 [HttpPost]//指示POST提交
2 [MyValidateAntiForgeryToKen]//这儿调用自己写的过滤器,实现防止CSRF攻击3 public ActionResult Value()4 { 5 .......6 }