注册后AntiForgeryToken无效 [英] AntiForgeryToken invalid after sign in
问题描述
我有一个用户可以张贴在没有登录电子形式。但是如果他的邮件被认为是需要密码。密码表单验证过阿贾克斯,如果全成的主要形式提交。这两种形式都需要一个有效的AntiForgeryToken。
美中不足的是,密码校验作为双积也签署用户(来自客户机的要求)。这种无效的令牌和主要形式不能被发送。
我曾尝试编程产生新的凭证,但我无法得到它的工作。
这是如何解决这个任何想法?
最终的解决方案
我发现这个问题是有帮助的类型了反射。然而,这是主要的原因,在正常情况下,你会避免黑客的内部类型,是该类型组件之间玩弄了很多版本之间。贝蒂指出,使用ILSpy找东西。
这是最后的code。
如果(签到)
FormsAuth.SignIn(user.Email,FALSE);
VAR mvcAssembly = typeof运算(防伪).Assembly;
变种afdType = mvcAssembly.GetType(System.Web.Helpers.AntiForgeryData);
字符串字段名= Convert.ToString(afdType.InvokeMember(
GetAntiForgeryTokenName
BindingFlags.NonPublic可| BindingFlags.Static | BindingFlags.InvokeMethod,
空值,
空值,
新的对象[] {}返回null));变种serializerType = mvcAssembly.GetType(System.Web.Helpers.AntiForgeryDataSerializer);
VAR serializerCtor = serializerType.GetConstructor(新类型[0]);
对象序列化= serializerCtor.Invoke(新对象[0]);
字符串文本= HttpContext.Request.Form [字段名]
反对antiForgeryData = serializerType.InvokeMember(反序列化,BindingFlags.InvokeMethod,空,串行器,新的对象[] {文本});afdType.GetProperty(用户名)。的SetValue(antiForgeryData,
签到 ? user.Email:的String.Empty,
空值);字符串newToken = Convert.ToString(serializerType.InvokeMember(
连载,
BindingFlags.InvokeMethod,
空值,
串行器,
新的对象[] {} antiForgeryData));返回内容(JsonConvert.SerializeObject(新
{
成功= TRUE,
newAntiForgeryToken = newToken
}),Constant.JsonContentType);
升级网页2.0
VAR mvcAssembly = typeof运算(防伪).Assembly;
变种afdType = mvcAssembly.GetType(System.Web.Helpers.AntiXsrf.AntiForgeryToken);
//字符串字段名= Convert.ToString(afdType.InvokeMember(
//GetAntiForgeryTokenName
// BindingFlags.NonPublic可| BindingFlags.Static | BindingFlags.InvokeMethod,
// 空值,
// 空值,
//新的对象[] {}返回null)); 字符串字段名=__RequestVerificationToken; 变种serializerType = mvcAssembly.GetType(System.Web.Helpers.AntiXsrf.AntiForgeryTokenSerializer);
VAR serializerCtor = serializerType.GetConstructor(新类型[0]);
对象序列化= serializerCtor.Invoke(新对象[0]);
字符串文本= HttpContext.Request.Form [字段名]
字符串newToken =的String.Empty; 如果(!String.IsNullOrEmpty(文本))
{
反对antiForgeryToken = serializerType.InvokeMember(反序列化,BindingFlags.InvokeMethod,空,
串行器,新的对象[] {文本}); afdType.GetProperty(用户名)。的SetValue(antiForgeryToken,
签到 ? user.Email:的String.Empty,
空值); newToken = Convert.ToString(serializerType.InvokeMember(
连载,
BindingFlags.InvokeMethod,
空值,
串行器,
新的[] {} antiForgeryToken));
}
当前用户存储在表单数据的防伪标记,并在回发当前用户进行比较。
您应该能够拉出形式标记在回发以同样的方式菲尔哈克做它的这个帖子。
然后使用AntiForgeryDataSerializer类反序列化令牌,更新当前用户,再序列化,并把它放回形式,它的前检查。或完全使用自己的属性替换validate方法。
此外,而不是更新它的主要形式回传,你可以尝试发送更新令牌回来的密码ajax请求和更新的形式。无论哪种方式的基本方法是一样的,反序列化,更新用户,序列化,更换令牌。
字符串antiForgeryTokenName = AntiForgeryData.GetAntiForgeryTokenName(NULL);
字符串文本= context.Request.Form [antiForgeryTokenName]
AntiForgeryDataSerializer串行=新AntiForgeryDataSerializer();AntiForgeryData antiForgeryData = serializer.Deserialize(文本);
antiForgeryData.Username = AntiForgeryData.GetUsername(context.User);
字符串newToken = serializer.Serialize(antiForgeryData);
AntiForgeryDataSerializer和AntiForgeryData是内部类,因此你将不得不使用一些基本的反射来调用它们的方法。
I have a form which the user can post without loging in. If however his email is recognized a password is required. The password form is validated over Ajax and if successfull the main form is submitted. Both forms require a valid AntiForgeryToken.
The catch is, the password check as a biproduct also signs the user in (a requirement from the client). This invalidates the token and the main form cannot be sent.
I have tried programmatically generating a new token but I can't get it to work.
Any ideas on how to resolve this?
Final solution
I found this question to be helpful in type up the reflection. However, and this is the main reason why under normal circumstances you would avoid hacking internal types, is that the types are juggled between assemblies alot between releases. As Betty suggests, use ILSpy to find things.
This is the final code.
if (signIn)
FormsAuth.SignIn(user.Email, false);
var mvcAssembly = typeof(AntiForgery).Assembly;
var afdType = mvcAssembly.GetType("System.Web.Helpers.AntiForgeryData");
string fieldName = Convert.ToString(afdType.InvokeMember(
"GetAntiForgeryTokenName",
BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.InvokeMethod,
null,
null,
new object[] { null }));
var serializerType = mvcAssembly.GetType("System.Web.Helpers.AntiForgeryDataSerializer");
var serializerCtor = serializerType.GetConstructor(new Type[0]);
object serializer = serializerCtor.Invoke(new object[0]);
string text = HttpContext.Request.Form[fieldName];
object antiForgeryData = serializerType.InvokeMember("Deserialize", BindingFlags.InvokeMethod, null, serializer, new object[] { text });
afdType.GetProperty("Username").SetValue(antiForgeryData,
signIn ? user.Email : string.Empty,
null);
string newToken = Convert.ToString(serializerType.InvokeMember(
"Serialize",
BindingFlags.InvokeMethod,
null,
serializer,
new object[] { antiForgeryData }));
return Content(JsonConvert.SerializeObject(new
{
success = true,
newAntiForgeryToken = newToken
}), Constant.JsonContentType);
Upgrade for WebPages 2.0
var mvcAssembly = typeof(AntiForgery).Assembly;
var afdType = mvcAssembly.GetType("System.Web.Helpers.AntiXsrf.AntiForgeryToken");
//string fieldName = Convert.ToString(afdType.InvokeMember(
// "GetAntiForgeryTokenName",
// BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.InvokeMethod,
// null,
// null,
// new object[] { null }));
string fieldName = "__RequestVerificationToken";
var serializerType = mvcAssembly.GetType("System.Web.Helpers.AntiXsrf.AntiForgeryTokenSerializer");
var serializerCtor = serializerType.GetConstructor(new Type[0]);
object serializer = serializerCtor.Invoke(new object[0]);
string text = HttpContext.Request.Form[fieldName];
string newToken = String.Empty;
if (!String.IsNullOrEmpty(text))
{
object antiForgeryToken = serializerType.InvokeMember("Deserialize", BindingFlags.InvokeMethod, null,
serializer, new object[] { text });
afdType.GetProperty("Username").SetValue(antiForgeryToken,
signIn ? user.Email : string.Empty,
null);
newToken = Convert.ToString(serializerType.InvokeMember(
"Serialize",
BindingFlags.InvokeMethod,
null,
serializer,
new[] { antiForgeryToken }));
}
The current user is stored in the anti-forgery token in the form data and compared with the current user on postback.
You should be able to pull out the form token on postback in the same way Phil Haack does it in this post.
Then use the AntiForgeryDataSerializer class to deserialize the token, update the current user, serialize it again and put it back in the form before it's checked. Or replace the validate method entirely using your own attribute.
Alternatively, instead of updating it on the main forms postback, you could try send the updated token back with the password ajax request and update the form. Either way the basic approach is the same, deserialize, update user, serialize, replace token.
string antiForgeryTokenName = AntiForgeryData.GetAntiForgeryTokenName(null);
string text = context.Request.Form[antiForgeryTokenName];
AntiForgeryDataSerializer serializer = new AntiForgeryDataSerializer();
AntiForgeryData antiForgeryData = serializer.Deserialize(text);
antiForgeryData.Username = AntiForgeryData.GetUsername(context.User);
string newToken = serializer.Serialize(antiForgeryData);
AntiForgeryDataSerializer and AntiForgeryData are internal classes, so you will have to use some basic reflection to call methods on them.
这篇关于注册后AntiForgeryToken无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
