在ASP.NET Web表单禁用反XSRF令牌验证重定向到IIS和IE浏览器登录页面 [英] Disabling Anti-XSRF token validation in ASP.NET web forms redirects to login page on IIS and IE

问题描述

我们在新的2012年VS使用新的ASP.NET Web表单模板，因为我们不得不在IIS上的一些问题，与此错误：

System.Web.HttpException（0X80004005）：视图状态MAC失败的验证如果此应用程序由Web场或群集承载，确保配置指定了相同的validationKey和验证算法自动生成不能在群集中使用。 ---> System.Web.UI.ViewStateException：无效的视图状态

。

然后我们做了，这会更改web.config中：

 ＆LT;页validateRequest =false的enableEventValidation =假viewStateEncryptionMode =从不enableViewStateMac =false的＆GT; ...＆LT; /页＆GT;
 

不过，后来我们得到了错误：反XSRF令牌验证失败

然后，我们在评论所有Site.Master.cs的code，关于反XSRF令牌验证（因为网站上使用的Intranet），但是现在我们不能登录使用IE浏览器（Chrome浏览器和Firefox的作​​品），因为登录后（这是在日志succesfull），它重定向到重新登录页面，但用户已登录。

更新
我尝试了所有的解决方案，从这里它不起作用：的http://blogs.msdn.com/b/tom/archive/2008/03/14/validation-of-viewstate-mac-failed-error.aspx.最后，我也试图与：在web.config中，但后来我得到的错误信息：System.InvalidOperationException：反XSRF令牌验证失败。但是，有没有办法了。

更新2
是否有禁用新的ASP.NET Web表单模板项目反XSRF令牌验证正确的方法是什么？

解决方案

相反disactivaving ASP.NET的所有安全特性（这是不是在所有的决定），你应集中精力解决实际的错误。

System.Web.HttpException（0X80004005）：视图状态MAC验证失败是一个常见的​​错误。为了解决这个问题，你必须定义一个的machineKey 来在你的web.config文件中使用。这通常是由于这样的事实，有横跨回发两个不同的密钥。在web.config将最有可能解决这一问题定义一个（不要忘记激活像视图状态加密安全功能）。
你可以在这里生成一个： http://aspnetresources.com/tool​​s/machineKey

请参阅这篇文章中的示例： http://stackoverflow.com/a/6260201/375304 （但不要使用相同的密钥）。

此外，有看看这个链接，它可能有助于了解相关的machineKey ASP.NET安全功能。
http://msdn.microsoft.com/en-us/library/ff649308.aspx

更新：如果任何这不起作用，请尝试以下（的来源）：

  

根据上述第3项的另一个解决方案，特别感谢亚历张贴
  这在下面的评论。他写了一个小的类名为的BasePage
  能解决的问题，所以你只需要在扩展您的网页
  的BasePage，而不是页：

 公共类的BasePage：页
{
  私人静态字符串[] = aspNetFormElements新的String []
  {
    __EVENTTARGET
    __EVENTARGUMENT
    __VIEWSTATE
    __EVENTVALIDATION
    __VIEWSTATEENCRYPTED
  };  保护覆盖无效渲染（HtmlTextWriter的作家）
  {
    StringWriter的StringWriter的=新的StringWriter（）;
    的HtmlTextWriter的HTMLWriter =新的HtmlTextWriter（StringWriter的）;
    base.Render（的HTMLWriter）;
    字符串的html = stringWriter.ToString（）;
    INT formStart = html.IndexOf（＆LT;表）;
    INT端部结构= -1;
    如果（formStart＆GT; = 0）
      端部结构= html.IndexOf（＆gt;中，formStart）;    如果（端部结构＆GT; = 0）
    {
      StringBuilder的viewStateBuilder =新的StringBuilder（）;
      的foreach（在aspNetFormElements字符串元素）
      {
        INT的startPoint = html.IndexOf（＆LT;输入类型= \\隐藏\\NAME = \\+元素+\\）;
        如果（的startPoint＆GT; = 0＆放大器;＆放大器;的startPoint＆GT;端部结构）
        {
          INT终点= html.IndexOf（/＆gt;中，的startPoint）;
          如果（端点＆GT; = 0）
          {
            终端+ = 2;
            字符串viewStateInput = html.Substring（的startPoint，终端 - 的startPoint）;
            HTML = html.Remove（的startPoint，终端 - 的startPoint）;
            viewStateBuilder.Append（viewStateInput）.Append（\\ r \\ n）;
          }
        }
      }      如果（viewStateBuilder.Length大于0）
      {
        viewStateBuilder.Insert（0，\\ r \\ n）;
        的HTML = html.Insert（端部结构+ 1，viewStateBuilder.ToString（））;
      }
    }    writer.Write（HTML）;
  }
}
 

We are using new ASP.NET Web forms template in new VS 2012. Because we had some problems on IIS, with this error:

"System.Web.HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. ---> System.Web.UI.ViewStateException: Invalid viewstate."

Then we made this changes to web.config:

<pages validateRequest="false" enableEventValidation="false" viewStateEncryptionMode ="Never" enableViewStateMac="false" > ... </pages>

but, then we got the error: "Validation of Anti-XSRF token failed."

We then commented all the code in Site.Master.cs, regarding Anti-XSRF token validation (because site is used on intranet), however now we cannot login using IE (in Chrome and Firefox works), because after login (which is succesfull in log), it redirects to login page again, but the user is logged in.

UPDATE I tried all of the solutions from here and it doesn't work: http://blogs.msdn.com/b/tom/archive/2008/03/14/validation-of-viewstate-mac-failed-error.aspx. Lastly, I tried also with: in web.config, but then i get the error: System.InvalidOperationException: Validation of Anti-XSRF token failed. Still, there is no solution.

UPDATE 2 Is there a proper way to disable Anti-XSRF token validation in new ASP.NET Web Forms template project ?

解决方案

Instead of disactivaving all the security features of ASP.NET (which is NOT advised at all), you should rather focus on solving the actual error.

System.Web.HttpException (0x80004005): Validation of viewstate MAC failed is a common error. To solve it, you have to define a machinekey to use in your web.config file. This is usually due to the fact that you have two different keys across postback. Defining one in the web.config will most likely solve the issue (do not forget to reactivate security features like viewstate encryption). You can generate one here: http://aspnetresources.com/tools/machineKey

See this post for an example: http://stackoverflow.com/a/6260201/375304 (but do NOT use the same key).

Also, have look at this link, it might be helpful to understand ASP.NET security features related to the machinekey. http://msdn.microsoft.com/en-us/library/ff649308.aspx

UPDATE: If any of this doesn't work, try the following (source):

Another solution based on #3 above, special thanks to Alex for posting this in the comments below. He wrote a small class called BasePage that fixes the issues, so you just have to extend your page from BasePage instead of Page:

public class BasePage : Page
{
  private static string[] aspNetFormElements = new string[] 
  { 
    "__EVENTTARGET",
    "__EVENTARGUMENT",
    "__VIEWSTATE",
    "__EVENTVALIDATION",
    "__VIEWSTATEENCRYPTED",
  };

  protected override void Render(HtmlTextWriter writer)
  {
    StringWriter stringWriter = new StringWriter();
    HtmlTextWriter htmlWriter = new HtmlTextWriter(stringWriter);
    base.Render(htmlWriter);
    string html = stringWriter.ToString();
    int formStart = html.IndexOf("<form");
    int endForm = -1;
    if (formStart >= 0)
      endForm = html.IndexOf(">", formStart);

    if (endForm >= 0)
    {
      StringBuilder viewStateBuilder = new StringBuilder();
      foreach (string element in aspNetFormElements)
      {
        int startPoint = html.IndexOf("<input type=\"hidden\" name=\"" + element + "\"");
        if (startPoint >= 0 && startPoint > endForm)
        {
          int endPoint = html.IndexOf("/>", startPoint);
          if (endPoint >= 0)
          {
            endPoint += 2;
            string viewStateInput = html.Substring(startPoint, endPoint - startPoint);
            html = html.Remove(startPoint, endPoint - startPoint);
            viewStateBuilder.Append(viewStateInput).Append("\r\n");
          }
        }
      }

      if (viewStateBuilder.Length > 0)
      {
        viewStateBuilder.Insert(0, "\r\n");
        html = html.Insert(endForm + 1, viewStateBuilder.ToString());
      }
    }

    writer.Write(html);
  }
}

这篇关于在ASP.NET Web表单禁用反XSRF令牌验证重定向到IIS和IE浏览器登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！