Thursday, June 7, 2012

How to works AntiForgery

What is it?«Cross-site request forgery, or CSRF (pronounced sea-surf), is an attack that occurs when someone takes advantage of the trust between your browser and a Web site to execute a command using the innocent user’s session.»
How is it exploited?
«
Suppose John is authenticated as an admin­istrator on the PureShoppingHeaven site. PureShoppingHeaven has a URL that’s restricted to admin access and allows information to be passed on the URL to execute an action, such as creating a new user.»
So if you have a View in your Orchard site with Javascript code that, for example, call an Action you will have an Anti Forgegy Exception.
You have two way to avoid this issue:
1 – Disable the antiforgery in the Module.txt file. It’s a bad way2 – Make your request with the AntiForgery code, in this way:
$.post("team/getteammember",
{
  id: id,
  __RequestVerificationToken: "@Html.AntiForgeryTokenValueOrchard()"
},
function (data) {
  // work with data
});


It’s a good way

if you want more information about security take a look here: http://msdn.microsoft.com/en-us/magazine/hh708755.aspx

Enjoy with Orchard

No comments:

Post a Comment