问题描述
我有一个表格后,始终给了我一个防伪标记错误。
I have a form post that consistently gives me an anti-forgery token error.
下面是我的方式:
@using (Html.BeginForm())
{
@Html.AntiForgeryToken()
@Html.EditorFor(m => m.Email)
@Html.EditorFor(m => m.Birthday)
<p>
<input type="submit" id="Go" value="Go" />
</p>
}
下面是我的操作方法:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Join(JoinViewModel model)
{
//a bunch of stuff here but it doesn't matter because it's not making it here
}
下面是的machineKey在web.config中:
Here is the machineKey in web.config:
<system.web>
<machineKey validationKey="mykey" decryptionKey="myotherkey" validation="SHA1" decryption="AES" />
</system.web>
和以下是错误我得到:
A required anti-forgery token was not supplied or was invalid.
我读过,改变用户对HttpContext的将令牌无效的,但这不是发生在这里。在我加入行动HTTPGET只是返回的观点:
I've read that changing users on the HttpContext will invalidate the token, but this isn't happening here. The HttpGet on my Join action just returns the view:
[HttpGet]
public ActionResult Join()
{
return this.View();
}
所以我不知道发生了什么事。我四处搜寻,一切似乎表明,它或者改变的machineKey(应用程序循环)或用户/会话改变。
So I'm not sure what's going on. I've searched around, and everything seems to suggest that it's either the machineKey changing (app cycles) or the user/session changing.
还有什么可怎么回事?我该如何解决这个?
What else could be going on? How can I troubleshoot this?
推荐答案
从亚当的帮助后,我得到的MVC源添加到我的项目,并能够看到有这导致了同样的错误很多情况下。
After help from Adam, I get the MVC source added to my project, and was able to see there are many cases that result in the same error.
下面是用来验证防伪造标记方法:
Here is the method used to validate the anti forgery token:
public void Validate(HttpContextBase context, string salt) {
Debug.Assert(context != null);
string fieldName = AntiForgeryData.GetAntiForgeryTokenName(null);
string cookieName = AntiForgeryData.GetAntiForgeryTokenName(context.Request.ApplicationPath);
HttpCookie cookie = context.Request.Cookies[cookieName];
if (cookie == null || String.IsNullOrEmpty(cookie.Value)) {
// error: cookie token is missing
throw CreateValidationException();
}
AntiForgeryData cookieToken = Serializer.Deserialize(cookie.Value);
string formValue = context.Request.Form[fieldName];
if (String.IsNullOrEmpty(formValue)) {
// error: form token is missing
throw CreateValidationException();
}
AntiForgeryData formToken = Serializer.Deserialize(formValue);
if (!String.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal)) {
// error: form token does not match cookie token
throw CreateValidationException();
}
string currentUsername = AntiForgeryData.GetUsername(context.User);
if (!String.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase)) {
// error: form token is not valid for this user
// (don't care about cookie token)
throw CreateValidationException();
}
if (!String.Equals(salt ?? String.Empty, formToken.Salt, StringComparison.Ordinal)) {
// error: custom validation failed
throw CreateValidationException();
}
}
我的问题是它身份的用户名与窗体令牌的用户名进行比较的情况。对我来说,我没有足够的用户名设置(一个为空,另一个是空字符串)。
My problem was that condition where it compares the Identity user name with the form token's user name. In my case, I didn't have the user name set (one was null, the other was an empty string).
虽然我怀疑很多人会遇到这种相同的情况下,希望别人会发现它有用看到正在检查基本条件。
While I doubt many will run into this same scenario, hopefully others will find it useful seeing the underlying conditions that are being checked.
这篇关于故障排除防伪标记问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!