MVC3防伪令牌多标签 [英] Mvc3 Antiforgery token multi tabs

问题描述

我们与登录页上的防伪造令牌的具体问题。如果用户只有一个活动窗口的一切登录，如果用户打开从窗口中的两个不同的窗口和日志在登录页面（无问题将登陆）的作品却很大，且可以追溯到从窗口b。在该窗口中登录用户将收到A需要的防伪标记不提供或者是无效的。

we have a specific issue with the anti forgery token on the login page. If the user logs in with only one active window everything works great however if the user opens the login page in two different windows and logs in from window A (no issues will login), and the goes back to login from window B in this window the user will receive "A required anti-forgery token was not supplied or was invalid".

有没有解决这个其他再没有办法删除视图/控制器动作防伪造令牌？我们将preFER有额外的安全性令牌！

Is there any way around this other then to remove the anti forgery token from the view/controller action? We would prefer to have the token for additional security!

这是非常相似，这个问题但是这是要求MVC2
<一href=\"http://stackoverflow.com/questions/4031617/mvc-validateantiforgerytoken-multi-tabs-problem\">MVC ValidateAntiForgeryToken多标签问题

This is very similar to this question however this was asked for mvc2 MVC ValidateAntiForgeryToken multi-tabs problem

推荐答案

此行​​为MVC3或MVC4作为但设计是非常用户不友好如上所述，然而，在生产这个问题上需要进行适度地应用需求解决处理这种奇怪的情况。这个问题的解决方案是创建一个应用于登录后，将验证该用户登录，并带他们到正确的网页过滤器，否则，他们将留在登录页面上。

This behaviour in MVC3 or MVC4 is as designed however it is very user-unfriendly as explained above, however in production this issue needs to be solved gracefully and application needs to handle this odd situation. The solution for this problem is to create a filter that is applied to the login post that will verify if the user is logged in and take them to the correct page otherwise they will remain on the login page.

下面是code的筛选器属性。

Below is the code for the filter attribute

/// <summary>
/// Handle Antiforgery token exception and redirect to customer area if the user is Authenticated
/// </summary>
public class RedirectOnError : HandleErrorAttribute
{
    /// <summary>
    /// Override the on exception method and check if the user is authenticated and redirect the user 
    /// to the customer service index otherwise continue with the base implamentation
    /// </summary>
    /// <param name="filterContext">Current Exception Context of the request</param>
    public override void OnException(ExceptionContext filterContext)
    {
        if (filterContext.Exception is HttpAntiForgeryException && filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            // Set response code back to normal
            filterContext.HttpContext.Response.StatusCode = 200;

            // Handle the exception
            filterContext.ExceptionHandled = true;

            UrlHelper urlH = new UrlHelper(filterContext.HttpContext.Request.RequestContext);

            // Create a new request context
            RequestContext rc = new RequestContext(filterContext.HttpContext, filterContext.RouteData);

            // Create a new return url
            string url = RouteTable.Routes.GetVirtualPath(rc, new RouteValueDictionary(new { Controller = "CustomerArea", action = "Index" })).VirtualPath;

            // Check if there is a request url
            if (filterContext.HttpContext.Request.Params["ReturnUrl"] != null && urlH.IsLocalUrl(filterContext.HttpContext.Request.Params["ReturnUrl"]))
            {
                url = filterContext.HttpContext.Request.Params["ReturnUrl"];
            }

            // Redirect the user back to the customer service index page
            filterContext.HttpContext.Response.Redirect(url, true);
        }
        else
        {
            // Continue to the base
            base.OnException(filterContext);
        }
    }
}

这是使用的例子

        [HttpPost]
        **[RedirectOnError]**
        [ValidateAntiForgeryToken]
        public ActionResult LogOn(LogOnViewModel model, UserSessionState session, string returnUrl)
        {
        .....
        }

这篇关于MVC3防伪令牌多标签的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！