为什么@ Html.AntiForgeryToken()在同一响应中生成不同的令牌? [英] Why does @Html.AntiForgeryToken() generate different tokens in same response?

问题描述

单个Razor视图包含多种形式，每种形式都有其自己的对@Html.AntiForgeryToken()

A single Razor view contains several forms, each with its own call to @Html.AntiForgeryToken()

<form id="f1">
    @Html.AntiForgeryToken()
</form>

<form id="f2">
    @Html.AntiForgeryToken()
</form>

据我了解，这两个防伪令牌应相同.

As I understand it, both of these anti forgery tokens should be the same.

<form id="f1">
    <input name="__RequestVerificationToken" type="hidden" value="duVT4VtiYybun-61lnSY1ol__qBwawnELooyqT5OSrCJrvcHvDs_Nr9GLxNxwvBaI4hUcKZVkm6mDEmH2UqNorHD1FnJbKJQLWe8Su_dhy_nnGGl5GhqqC3yRGzcxbBM0" />
</form>

<form id="f2">
    <input name="__RequestVerificationToken" type="hidden" value="ZMISz3IWHU_HCKP4FppDQ5lvzoYhlQGhN1cmzKBPz4OgDzyqSUK3Q1dqvw1uHsb4eNyd9U3AbFcnW8tR7g1QS8Dyhp0tFc-ee1sfDAOqbLCcgd3PDnLCbXx09pnPREaq0" />
</form>

为什么值不同?

它们肯定是相同的，因为它们是从服务器以相同的响应发送的?
文档没说一次调用只要.

Surely they should be the same, because they are sent in the same Response from the server?
The documentation says nothing about calling it once only.

推荐答案

不会直接比较Anti-Forgery令牌-服务器必须先取消保护它，然后在其中比较受保护的数据.拥有不同的受保护令牌并不一定意味着它们包含不同的数据.

The Anti-Forgery token is not compared directly - the server has to unprotect it first and compare the protected data inside. Having different protected tokens doesn't necessarily mean they contain differing data.

System.Web.Helpers.AntiXsrf.TokenValidator比较的是解密的AntiForgeryToken实例内部的SecurityToken.但是，这些实例还包含一个AdditionalData字段，一个UserName字段和一个ClaimUid字段.

What the System.Web.Helpers.AntiXsrf.TokenValidator compares is the SecurityToken inside the decrypted AntiForgeryToken instances. These instances, however, also contain an AdditionalData field, a UserName field and a ClaimUid field.

此外，AntiForgeryToken中的SecurityToken是直接从(AntiForgeryWorker中的)AntiForgery cookie(当前有效，否则是新生成的)直接复制的.

Also, the SecurityToken inside the AntiForgeryToken is directly copied from the (current if it is valid, else the freshly generated) AntiForgery cookie inside AntiForgeryWorker.

鉴于所有数据都已序列化，加密然后编码，由于令牌之间AdditionalData之间的差异或，您可能在受保护令牌中存在差异，很可能是由于加密过程中使用了伪随机随机数(它可能会使用，因为我可以针对同一个cookie测试2个完全不同的令牌是否有效).

Given that all that data is serialized, encrypted then encoded, you may have variances in the protected token due to differences between the AdditionalData between tokens or it is likely due to a pseudorandom nonce used in the encryption process (which it likely uses, since I can test 2 completely different tokens as valid against the same cookie).

这篇关于为什么@ Html.AntiForgeryToken()在同一响应中生成不同的令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！