Geek Answers Handbook

Do I need a ValidateAntiForgeryToken action in a login action?

It is clear that this filter by default (i.e., using forests) is applied to action a Login, as far as I know, this token works best when it is already associated with the login ID. In relation to LoginI had a problem if a user tries to log in twice with an error, for example

The provided anti-fake token is intended for the user ", but the current user is" [theLoggedInUser] ".

Now logging into the system twice, as a rule, will not be a problem, but for this additional efforts to prevent this are less important if the answers to this question are less clear than just removing the check from the login action.

+4
source share
4 answers

Yes, you must use it. By using a cookie and the hidden form value that it inserts, it helps to prevent fraud by malicious users on your site and malicious POST requests.

This, of course, will be when ypu checks your user account details. Without it, someone could write a script to attack brute force on the server, trying to guess the username and password. Using antifreeze authentication function, each request is protected from failures, even if the script will generate the correct password.

This is just one tool out of many so that people can access the functions of your site the way you want.

EDIT: Updated based on the comment, but the point is still worth it. Use it;)

+2
source

, - , . , AFT , - - . , "" . , IP- , .

, , , - .

0

, , -, .

, - .

, - ! , SSL. :

  • ( js)
  • @Html.AntiForgeryToken() , AJAX, -
  • - AntiForgeryConfig.SuppressIdentityHeuristicChecks = true Application_Start
0

You can use it, but if you check that the operations were done twice or more, you change your perspective from anti-fake to spam. Twice or more actions can be classified as spam events. If you want to prevent this situation, you must write code, for example:

public class PreventSpamAttribute : ActionFilterAttribute
{
    //This stores the time between Requests (in seconds)
    public int DelayRequest = 10;
    //The Error Message that will be displayed in case of excessive Requests
    public string ErrorMessage = "Excessive Request Attempts Detected.";
    public string ErrorResouceKey = string.Empty;
    //This will store the URL to Redirect errors to
    public string RedirectUrl;

    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        //Store our HttpContext (for easier reference and code brevity)
        var request = filterContext.HttpContext.Request;
        //Store our HttpContext.Cache (for easier reference and code brevity)
        var cache = filterContext.HttpContext.Cache;

        //Grab the IP Address from the originating Request (very simple implementation for example purposes)
        var originationInfo = request.ServerVariables["HTTP_X_FORWARDED_FOR"] ?? request.UserHostAddress;

        //Append the User Agent
        originationInfo += request.UserAgent;

        //Now we just need the target URL Information
        var targetInfo = request.RawUrl + request.QueryString;

        //Generate a hash for your strings (this appends each of the bytes of the value into a single hashed string
        var hashValue = string.Join("", MD5.Create().ComputeHash(Encoding.ASCII.GetBytes(originationInfo + targetInfo)).Select(s => s.ToString("x2")));

        //Checks if the hashed value is contained in the Cache (indicating a repeat request)
        if (cache[hashValue] != null)
        {
            //!!!!!!!!!!!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!!
            //Adds the Error Message to the Model and Redirect

            //or

            //Force the action to do anythning!!!!!

            // My business Solution : 
            //if (!string.IsNullOrEmpty(ErrorResouceKey)) //if error will getting from resouce
            //{
            //    throw new BusinessException(ResourceHelper.Current.GetKeyValue(ErrorResouceKey));
            //}

            //throw new BusinessException(ErrorMessage);
        }
        //Adds an empty object to the cache using the hashValue to a key (This sets the expiration that will determine
        //if the Request is valid or not
        //cache.Add(hashValue, null, null, DateTime.Now.AddSeconds(DelayRequest), Cache.NoSlidingExpiration, CacheItemPriority.Default, null);

        cache.Add(hashValue, 1, null, DateTime.Now.AddSeconds(DelayRequest), Cache.NoSlidingExpiration, CacheItemPriority.Default, null);
        base.OnActionExecuting(filterContext);
    }
}

When using (you can change the error handling strategy);

   [PreventSpam(DelayRequest = 5, ErrorMessage = "Please try again in 5 seconds.")]
   public virtual JsonResult Login()
   {
   }
0
source

More articles:


All Articles