ASP.NET MVC-ValidateAntiForgeryToken到期 [英] ASP.NET MVC - ValidateAntiForgeryToken expiring
问题描述
在网页中,我们提供了一个超链接(GET),用户可以单击该超链接进行身份验证:
In a web page we provide a hyperlink (GET) that the User may click on to authenticate:
@Html.ActionLink("Please Login", "MyMethod", "MyController")
这映射到下面的控制器方法,该方法返回一个View:
This maps to the following controller method which returns a View:
[RequireHttps]
public ActionResult MyMethod()
{
return this.View(new MyModel());
}
此视图包含用户在其中提供其凭据的表单;表单包含必需的AntiForgeryToken.
This View contains the Form in which the User supplies their credentials; the Form contains the required AntiForgeryToken.
用户提交表单时,将调用以下Controller方法:
When the User submits the form, the following Controller method is called:
[HttpPost]
[RequireHttps]
[ValidateAntiForgeryToken]
public ActionResult MyMethod(MyModel model)
{
// my logic
}
在大多数情况下,效果都很好...
This works perfectly well, most of the time...
但是,如果用户在重要的"一段时间内将浏览器保持打开状态,然后快速连续执行以下步骤:
However, if the User leaves their browser open for a "significant" period of time and then performs the following steps in quick succession:
- 单击超链接(GET)以加载登录表单
- 填写表格并提交
他们得到一个异常,通知他们未提供Anti-Forgery令牌或该令牌无效.
They get an exception informing them that the Anti-Forgery token was either not provided or was invalid.
我不明白为什么会这样:视图(包含表单)是在浏览器处于休眠状态后创建的,因此防伪标记应全部为新鲜".但是,这种设计显然有问题,但是我不确定如何最好地对其进行纠正.
I don't understand why this is the case: the View (containing the form) is created after the browser was dormant and so the anti-forgery tokens should all be "fresh". However, something is evidently wrong with this design, but I'm not sure how best to rectify it.
如果有任何建议,请先感谢.
Thanks in advance if you have any suggestions.
格里夫
推荐答案
我正在处理同样的问题,虽然我理解该问题,但仍不确定最佳解决方案.
I'm dealing with this same problem and while I understand the issue, I'm not sure yet of the best resolution.
Anti-ForgeryToken进程将输入值放入表单,并将第二个值存储在cookie RequestVerificationToken中.这两个都提交给服务器,如果不匹配,则会引发错误.
The Anti-ForgeryToken process places an input value in the form with a second value stored in a cookie RequestVerificationToken. Both of these are submitted to the server and if they don't match the error is thrown.
RequestVerficationToken cookie的过期值设置为Session.因此,当用户长时间使浏览器在页面上保持打开状态并提交时,会将Cookie的时间戳与服务器上的会话超时值(默认为20分钟左右)进行比较,如果超过该值,则将其删除因此令牌验证失败.
The RequestVerficationToken cookie has an expiration value set to be Session. So when the user leaves the browser open on the page for a long time and then submits, the cookie's time stamp is compared to the session timeout value on the server — a default of 20 minutes or so — and having been exceeded, it is removed and thus token validation fails.
可能的解决方案,所有这些都有潜在的问题;
Possible solutions, all of which have potential issues;
- 在页面上放置一个JavaScript计时器,并以较少的值刷新超过您的会话超时时间.
- 在服务器上捕获System.Web.Mvc.HttpAntiForgeryException并重定向到同一页面.
- 增加会话超时
- 更改防伪令牌的到期时间
这篇关于ASP.NET MVC-ValidateAntiForgeryToken到期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
