从浏览器获取无效令牌 [英] Getting Invalid Token from Browser
问题描述
我正在生成EmailConfirmationToken以确认电子邮件。所产生的令牌看起来像这样:
<预郎= C#> AQAAANCMnd8BFdERjHoAwE / CL + sBAAAA48Afnm / pyU6UZrt2VXGfHAAAAAACAAAAAAADZgAAwAAAABAAAABa10013CpPZN7NSwTZYu03AAAAAASAAACgAAAAEAAAAHFDDmUWdvgFz4QCqe0ML / 1gAAAAN7hpoCFiW8NcTaMNCGMLALUYL0gcfXbPjXQddI5w68mm4FfbVhMkJPbL + JTA8RXZ7mb6VgNmxS / cxdMzy5BQdIdVUIWzQYPwBlX6Oimx + zESVcCSpUSVpwI05 + ls79nmFAAAAPTqCR7RSVR5zQT3UaJlcd1BokRr
我通过电子邮件将该令牌作为超链接发送给用户。
当用户点击链接,他将重定向到我的确认功能。
这就是我实现这个功能的方式:
[Route( Register / ConfirmEmail)]
[HttpGet]
public async 任务< IHttpActionResult> ConfirmEmail( string userId, string 代码)
{
string errorMessage = null ;
if (userId == null || code == null )
{
errorMessage = Die Benutzeridentifikation oder der Aktivierungscode sindbeschädigt;
return RenderEmailConfirmedPage(userId,errorMessage);
}
var registerContext = new RegisterContext
{
UserId = userId,
ActivationCode = code
};
var result = await userService.ConfirmEmailAsync(registerContext);
问题是我得到的代码是字符串无效的。请看下面的令牌:
<预郎= C#> AQAAANCMnd8BFdERjHoAwE /氯sBAAAA48Afnm / pyU6UZrt2VXGfHAAAAAACAAAAAAADZgAAwAAAABAAAABa10013CpPZN7NSwTZYu03AAAAAASAAACgAAAAEAAAAHFDDmUWdvgFz4QCqe0ML / 1gAAAAN7hpoCFiW8NcTaMNCGMLALUYL0gcfXbPjXQddI5w68mm4FfbVhMkJPbL JTA8RXZ7mb6VgNmxS / cxdMzy5BQdIdVUIWzQYPwBlX6Oimx zESVcCSpUSVpwI05 ls79nmFAAAAPTqCR7RSVR5zQT3UaJlcd1BokRr
你知道为什么所有 + 都替换为空格?
在创建确认URL时,您似乎忘记对代码进行URL编码。为了向后兼容,浏览器将查询字符串中的+
视为编码空间。
当你生成URL,您需要使用HttpUtility.UrlEncode
方法 [ ^ ]对参数进行编码。
例如:
string url = string .Format( yoursite / controller / action ?userId = {0}& code = {1},
HttpUtility.UrlEncode(userId),
HttpUtility.UrlEncode(code));
或者,使用 ASP.NET网站上的教程 [ ^ ]:
var callbackUrl = Url.Action(
ConfirmEmail , 帐户,
new {userId = user.Id,code = code},
protocol:Request.Url.Scheme);
I am generating a EmailConfirmationToken for email confirmation. The generated token looks like this:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA48Afnm/pyU6UZrt2VXGfHAAAAAACAAAAAAADZgAAwAAAABAAAABa10013CpPZN7NSwTZYu03AAAAAASAAACgAAAAEAAAAHFDDmUWdvgFz4QCqe0ML/1gAAAAN7hpoCFiW8NcTaMNCGMLALUYL0gcfXbPjXQddI5w68mm4FfbVhMkJPbL+JTA8RXZ7mb6VgNmxS/cxdMzy5BQdIdVUIWzQYPwBlX6Oimx+zESVcCSpUSVpwI05+ls79nmFAAAAPTqCR7RSVR5zQT3UaJlcd1BokRr
I am sending that token via email as a hyperlink to the user.
When the user clicks on the link he will redirect to my confirmation function.
This is how I implemented the function:
[Route("Register/ConfirmEmail")]
[HttpGet]
public async Task<IHttpActionResult> ConfirmEmail(string userId, string code)
{
string errorMessage = null;
if (userId == null || code == null)
{
errorMessage = "Die Benutzeridentifikation oder der Aktivierungscode sind beschädigt";
return RenderEmailConfirmedPage(userId, errorMessage);
}
var registerContext = new RegisterContext
{
UserId = userId,
ActivationCode = code
};
var result = await userService.ConfirmEmailAsync(registerContext);
The problem is the code which I get as string is invalid. Look at the following token:
AQAAANCMnd8BFdERjHoAwE/Cl sBAAAA48Afnm/pyU6UZrt2VXGfHAAAAAACAAAAAAADZgAAwAAAABAAAABa10013CpPZN7NSwTZYu03AAAAAASAAACgAAAAEAAAAHFDDmUWdvgFz4QCqe0ML/1gAAAAN7hpoCFiW8NcTaMNCGMLALUYL0gcfXbPjXQddI5w68mm4FfbVhMkJPbL JTA8RXZ7mb6VgNmxS/cxdMzy5BQdIdVUIWzQYPwBlX6Oimx zESVcCSpUSVpwI05 ls79nmFAAAAPTqCR7RSVR5zQT3UaJlcd1BokRr
Do you know why all + are replaces with a space " " ?
It looks like you've forgotten to URL-encode the code when you created the confirmation URL. For backwards-compatibility, browsers treat a+
in the query-string as an encoded space.
When you generate the URL, you need to use theHttpUtility.UrlEncode
method[^] to encode the parameters.
For example:
string url = string.Format("yoursite/controller/action?userId={0}&code={1}", HttpUtility.UrlEncode(userId), HttpUtility.UrlEncode(code));
Or, using the code from the tutorial on the ASP.NET site[^]:
var callbackUrl = Url.Action( "ConfirmEmail", "Account", new { userId = user.Id, code = code }, protocol: Request.Url.Scheme);
这篇关于从浏览器获取无效令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!