我正在 MVC 应用程序中实现 CSRF。我创建了自定义属性来验证 token ,因为我的输入是 json 编码并由 Ajax 调用。它在同一项目中工作正常,但当任何按钮或链接在同一解决方案中跨不同项目调用 url 时,它不会验证 token 。例如,注销位于主页并在同一解决方案中调用不同项目的 Controller 。它继续抛出“防伪 cookie token 和表单字段 token 不匹配”。我已经在网络配置中设置了机器 key 。你们能帮我解决这个问题吗?
谢谢
注销方法-主项目中的main.js文件
A.ajax({
url: config.authenticationUrl + '/Account/LogOff',
method: 'POST',
data: serialisedExtent,
contentType: 'application/json',
headers: {
'__RequestVerificationToken': $('input[name=__RequestVerificationToken]').val()
}
})
身份验证项目中帐户 Controller 中的 Controller 方法
[HttpPost]
[ValidateHeaderAntiForgeryToken]
public async Task<ActionResult> LogOff([ModelBinder(typeof(JsonNetModelBinder))] Exten extent)
{
if (User != null &&
User.Identity != null &&
User.Identity.IsAuthenticated)
}
public sealed class ValidateHeaderAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}
var httpContext = filterContext.HttpContext;
var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName];
AntiForgery.Validate(cookie != null ? cookie.Value : null, httpContext.Request.Headers["__RequestVerificationToken"]);
}
错误:
The anti-forgery cookie token and form field token do not match.] [exception : System.Web.Mvc.HttpAntiForgeryException (0x80004005): The anti-forgery cookie token and form field token do not match. at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken) at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext, String cookieToken, String formToken) at ValidateHeaderAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext filterContext) in at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.b__0(AsyncCallback asyncCallback, Object asyncState)] [method : ] [caller : ] [context : ]
最佳答案
尝试配置解决方案中的所有应用程序以指定相同的 ApplicationDiscriminator值:
var dataProtectionBuilder = services.AddDataProtection(configure =>
{
configure.ApplicationDiscriminator = "SharedAppName";
});
An identifier that uniquely discriminates this application from all other applications on the machine. The discriminator value is implicitly included in all protected payloads generated by the data protection system to isolate multiple logical applications that all happen to be using the same key material.
If two different applications need to share protected payloads, they should ensure that this property is set to the same value across both applications.
关于javascript - AntiForgeryToken 无法跨同一解决方案的子项目进行验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57848339/