在Asp.net MVC AntiForgeryToken将无法通过HTTP GET工作，因为它依赖于它依赖于HTTP POST饼干（它使用了Double提交饼干技术在OWASP XSRF $p$pvention小抄）。你也可以另外通过设置作为仅Http 的保护发送到客户端的饼干，所以它们不能经由被欺骗脚本。

The Asp.net MVC AntiForgeryToken won't work through HTTP GET, because it relies on cookies which rely on HTTP POST (it uses the "Double Submit Cookies" technique described in the OWASP XSRF Prevention Cheat Sheet). You can also additionally protect the cookies sent to the client by setting the as httponly, so they cannot be spoofed via a script.

在本文档可以看到可用于prevent XSRF各种技术。看来你描述就会掉进方法1.但是，我们必须对如何使用Ajax HTTP GET请求时，因为Cookie不会随请求发送的服务器上获取会话的问题。所以，你也必须给会话标识符添加到您操作的URL（亦称Cookie会话，这是比较容易劫持）。因此，为了执行攻击，攻击者只需要知道正确的URL来执行GET请求。

In this document you can find various techniques that can be used to prevent XSRF. It seems the you described would fall into the Approach 1. But we have a problem on how to retrieve the session on the server when using Ajax HTTP GET request since the cookies are not sent with the request. So you would also have to add a session identifier to you action's URL (aka. cookieless sessions, which are easier to hijack). So in order to perform an attack the attacker would only need to know the correct URL to perform the GET request.

也许一个很好的解决方案将是，以存储使用来自用户的SSL证书某些键（例如证书拇指指纹）的会话数据。这种方式仅SSL证书的所有者可以访问他的会话。这样，您就不需要使用cookies和你不需要通过查询字符串参数发送会话标识符。

Perhaps a good solution would be to store the session data using some key from the users SSL certificate (for example the certs thumb-print). This way only the owner of the SSL certificate could access his session. This way you don't need to use cookies and you don't need to send session identifiers via query string parameters.

反正你将需要推出自己的XSRF保护，如果你不希望使用HTTP POST在Asp.net MVC。

Anyway, you will need to roll out your own XSRF protection if you don't want to use HTTP POST in Asp.net MVC.