为什么AntiForgeryToken的隐藏字段不一样的我的机器上的cookie？ [英] Why is AntiForgeryToken's hidden field not same as its cookies on my machine?

问题描述

我只是通过修改默认的登录表单做了一个快速测试用一个简单的ASP.NET MVC 3的样品。据<一个href=\"http://weblogs.asp.net/dixin/archive/2010/05/22/anti-forgery-request-recipes-for-asp-net-mvc-and-ajax.aspx\">this文章，无论是隐藏字段 __ RequestVerificationToken 和饼干 __ RequestVerificationToken_Lw __ 必须包含由<$ C $产生相同的值C> Html.AntiForgeryToken（）。但它不是完全一样的，当我在小提琴得到了他们，顺便说一句，看着MVC 3源$ C ​​$ C，方法 GetAntiForgeryTokenAndSetCookie 生成似乎不使用盐值饼干。有没有在MVC 3什么变化？

忘了说，我仍然可以登录成功地与正常或Ajax的POST请求。

下面是原始日志从小提琴：

  POST HTTP：//本地主机：51713 /帐号/ LogOn支持HTTP / 1.1
引用者：HTTP：//本地主机：51713 /帐号/ LogOn支持
内容长度：256
产地：HTTP：//本地主机：51713
的X请求 - 由于：XMLHtt prequest
内容类型：应用程序/ x-WWW的形式urlen codeD
曲奇饼： __RequestVerificationToken_Lw__=OIRtVqUvNt/LfDGeoVy3W1VhdKN7MwdbUZmRNScz4NqS4uV0I0vQH2MHg77SsVhcinK5SJi9mVcdBUWk2VMiPTk8EMUN2Zq0X4ucK8XQ3/zr6NoiIvVF73Bq8ahbFaY/IrNrWY7mmzvO9j/XVLNN2lNqgCd6I3UGZAw3/nlOmpA=__RequestVerificationToken=zeDS%2F8MZE%2BLf%2FrRhevwN51J7bOE3GxlGNLQc8HogwFctF7glU1JboHePTTHa5YFe9%2FD2sY7w167q53gqvcwYZG1iZeecdnO4fdg6URdR4RUR%2BjIgk1apkXoxQ2xg48REfv4N5D4SHKU4MAf30Diy0MVyyF9N2Dl7uUGT6LbKHZU%3D&UserName=Tien&Password=tien&RememberMe=false
 

解决方案

是什么让你觉得他们应该是一样的吗？当然:)，他们必须我以某种方式相媲美，但是，这并不意味着他们必须寻找相同的在他们的序列化的形式。有不同的序列化到cookie数据的（我认为只有盐和令牌）和HTML标记（盐，令牌，创建时间，用户名）。

如果您有兴趣的细节，采取ILSpy并查找 System.Web.Mvc.AntiForgeryDataSerializer ， System.Web.Mvc.AntiForgeryData 和 OnAuthorization System.Web.Mvc.ValidateAntiForgeryTokenAttribute

I just did a quick test with a simple ASP.NET MVC 3 sample by modifying default LogOn form. According to this article, both hidden field __RequestVerificationToken and cookies __RequestVerificationToken_Lw__ must contain same value that generated by Html.AntiForgeryToken(). But it isn't exactly same when I got them in Fiddle, by the way, looking at MVC 3 source code, method GetAntiForgeryTokenAndSetCookie seemed not use salt value for generating the cookies. Was there any change in MVC 3?

Forgot to say that I could still log on successfully with both normal or Ajax POST request.

Here is raw log from Fiddle:

POST http://localhost:51713/Account/LogOn HTTP/1.1
Referer: http://localhost:51713/Account/LogOn
Content-Length: 256
Origin: http://localhost:51713
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: __RequestVerificationToken_Lw__=OIRtVqUvNt/LfDGeoVy3W1VhdKN7MwdbUZmRNScz4NqS4uV0I0vQH2MHg77SsVhcinK5SJi9mVcdBUWk2VMiPTk8EMUN2Zq0X4ucK8XQ3/zr6NoiIvVF73Bq8ahbFaY/IrNrWY7mmzvO9j/XVLNN2lNqgCd6I3UGZAw3/nlOmpA=

__RequestVerificationToken=zeDS%2F8MZE%2BLf%2FrRhevwN51J7bOE3GxlGNLQc8HogwFctF7glU1JboHePTTHa5YFe9%2FD2sY7w167q53gqvcwYZG1iZeecdnO4fdg6URdR4RUR%2BjIgk1apkXoxQ2xg48REfv4N5D4SHKU4MAf30Diy0MVyyF9N2Dl7uUGT6LbKHZU%3D&UserName=Tien&Password=tien&RememberMe=false

解决方案

what makes you think they should be the same ? :) of course, they must me comparable in some way, but that doesnt mean they must look identical in their serialized form. There is different set of data serialized to cookie (i think only the "salt" and token) and to HTML markup (salt, token, creation time, username).

If you are interested in details, take ILSpy and look for System.Web.Mvc.AntiForgeryDataSerializer, System.Web.Mvc.AntiForgeryData and OnAuthorization method of System.Web.Mvc.ValidateAntiForgeryTokenAttribute

这篇关于为什么AntiForgeryToken的隐藏字段不一样的我的机器上的cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！