__RequestVerificationToken 의 쿠키의 경우 기본 path 가 '/' 잡혀 request 마다 따라 다니게 되는데 실제로 폼 인증에 1회성으로 밖에 사용하지 않는데도 무신경하게 놔두는데 불필요하게 request 트래픽만 잡아 먹고 있으니 필요한 곳에서만 쓰게 제한할 필요가 있다.
2. 구현
이미 기본형을 구현해 놓은 링크가 있어서 최근 버전에 맞게 수정했다.
원문 : https://colinnewell.wordpress.com/2009/01/28/tweaking-the-antiforgerytoken-on-aspnet-mvc/
수정 소스
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Web;
using System.Web.Mvc;
namespace Ksk.Security
{
public static class KskAntiForgeryExtentions
{
public static MvcHtmlString KrAntiForgeryToken(this HtmlHelper helper, string path = null)
{
HttpContextBase context = helper.ViewContext.HttpContext;
context.Request.Cookies.Remove("__RequestVerificationToken");
MvcHtmlString fragment = helper.AntiForgeryToken();
HttpCookie cookie = context.Response.Cookies["__RequestVerificationToken"];
cookie.Path = string.IsNullOrEmpty(path) ? context.Request.ApplicationPath : path;
return fragment;
}
}
}
3. 어느게 더 편한가?
//
// Summary:
// Generates a hidden form field (anti-forgery token) that is validated when the
// form is submitted.
//
// Returns:
// The generated form field (anti-forgery token).
public MvcHtmlString AntiForgeryToken();
//
// Summary:
// Generates a hidden form field (anti-forgery token) that is validated when the
// form is submitted. The field value is generated using the specified salt value.
//
// Parameters:
// salt:
// The salt value, which can be any non-empty string.
//
// Returns:
// The generated form field (anti-forgery token).
[EditorBrowsable(EditorBrowsableState.Never)]
[Obsolete("This method is deprecated. Use the AntiForgeryToken() method instead. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property.", true)]
public MvcHtmlString AntiForgeryToken(string salt);
//
// Summary:
// Generates a hidden form field (anti-forgery token) that is validated when the
// form is submitted. The field value is generated using the specified salt value,
// domain, and path.
//
// Parameters:
// salt:
// The salt value, which can be any non-empty string.
//
// domain:
// The application domain.
//
// path:
// The virtual path.
//
// Returns:
// The generated form field (anti-forgery token).
[EditorBrowsable(EditorBrowsableState.Never)]
[Obsolete("This method is deprecated. Use the AntiForgeryToken() method instead. To specify a custom domain for the generated cookie, use the <httpCookies> configuration element. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property.", true)]
public MvcHtmlString AntiForgeryToken(string salt, string domain, string path);'Web_Application > ASP.NET MVC' 카테고리의 다른 글
| asp.net mvc ajax post 500 error (0) | 2017.02.07 |
|---|---|
| bundle 403 error (0) | 2017.02.03 |
| Log4net 설치 (0) | 2017.01.17 |
| [ASP.NET MVC] Make sure that the controller has a parameterless public constructor (0) | 2017.01.12 |
| Error 1053: "The service did not respond in a timely fashion" when attempting to start, stop or pause a service (0) | 2016.12.29 |