在ASP.NET Core中使用防伪cookie，但使用非默认CookieName [英] Using the antiforgery cookie in ASP.NET Core but with a non-default CookieName

问题描述

我正在考虑更改ASP.NET Core中默认防伪cookie的名称.

我想更改cookie名称的原因是使cookie匿名化，我认为最终用户没有理由应该确定此cookie的责任.

Microsoft.AspNetCore.Antiforgery.AntiforgeryOptions.CookieName

1. 如何更改防伪Cookie的名称?我想应该以某种方式在 Startup.cs 文件中完成该操作吗?
2. 通过更改默认的防伪cookie名称可能会发生什么情况?
3. 如何在ASP.NET Core中使用防伪cookie?
4. 不同的Web应用程序(使用相同的域)应该共享一个防伪Cookie，还是应该为每个Web应用程序创建单独的防伪Cookie?

解决方案

您可以在Startup.ConfigureServices中设置其他名称，如下所示:

services.AddAntiforgery(opts => opts.CookieName = "MyAntiforgeryCookie");

对于 .Net Core 2.0.0或更高版本，将有所更改:

参考: https://docs.microsoft .com/en-us/dotnet/api/Microsoft.AspNetCore.Antiforgery.AntiforgeryOptions?view = aspnetcore-2.0

为此，请执行以下操作:

services.AddAntiforgery(opts => opts.Cookie.Name = "MyAntiforgeryCookie");

默认情况下，AddMvc()内部调用AddAntiforgery()，这意味着您将获得默认的cookie，标题和表单名称.如果需要/想要使用其他名称，可以通过如上所述手动调用AddAntiforgery来实现.

如果更改cookie名称，则对您的应用程序没有任何影响(除非您自己添加了手动使用该cookie的代码).您可能还想更改标题/表单名称，例如官方的Antiforgery回购这个问题.

如果您使用ajax请求，那么您将需要在请求中包括标头或包含生成的令牌的字段.您基本上需要:

1. 获取IAntiforgery
2. 致电var tokenSet = antiforgery.GetAndStoreTokens(httpContext);

3. 将其提供给您的js代码，以便它知道值tokenSet.RequestToken作为每个ajax请求中包含为名称为tokenSet.FormFieldName的字段或包含名称为tokenSet.HeaderName的标头包含在内.

   • 几种选择，例如将标记呈现到js布局的脚本部分内的JS对象中，像角度示例中那样添加JS可读cookie，保持呈现包含在ajax请求中的隐藏字段
   • 选项在此答案中

目标是让POST/PUT/DELETE/PATCH请求包括两件事:

• 防伪Cookie
• 带有令牌的字段/标题

因此，防伪中间件可以验证是否没有XSRF.

---

有关Cookie名称/域的更新

明智的默认设置是让每个应用程序都有其自己的cookie.大多数情况下，您会使用默认方法获得该信息，因为cookie上没有专门设置任何域，因此cookie会从请求中获取域.除非这些应用程序托管在同一域中，否则这将意味着针对不同应用程序使用不同的Cookie.

• 在此处了解更多有关Cookie的工作方式的信息.

您可能只想在特殊情况下共享cookie，例如，如果您有两个应用程序，其中应用程序A中的表单发布到应用程序B.在这些情况下，请确保您使用的域/子域与两个应用程序都匹配使用相同的cookiea名称.

• 有关XSRF的更多信息此处

I'm thinking about changing name of the default antiforgery cookie in ASP.NET Core.

The reason why I would like to change the cookie name is to anonymize the cookie, in my opinion there is no reason why end users should be able to determine the responsibility of this cookie.

Microsoft.AspNetCore.Antiforgery.AntiforgeryOptions.CookieName

1. How do I change the name of the antiforgery cookie? I guess it should be done in the Startup.cs file in somehow?
2. What possible implications could occur by changing name the default antiforgery cookie?
3. How do I use the antiforgery cookie in ASP.NET Core?
4. Should different web applications (using same domain) share single antiforgery cookie, or should separate antiforgery cookies be created for each web application?

解决方案

You can set a different name in your Startup.ConfigureServices as in:

services.AddAntiforgery(opts => opts.CookieName = "MyAntiforgeryCookie");

For .Net Core 2.0.0 or greater there will be changes:

Reference: https://docs.microsoft.com/en-us/dotnet/api/Microsoft.AspNetCore.Antiforgery.AntiforgeryOptions?view=aspnetcore-2.0

For that use following:

services.AddAntiforgery(opts => opts.Cookie.Name = "MyAntiforgeryCookie");

By default AddMvc() internally calls AddAntiforgery(), which means you get the default cookie, header and form names. If you need to/want to use different names, you can do so by manually calling AddAntiforgery as above.

There should be no implications for your application if you change the cookie name (unless you added code yourself that manually used that cookie). You might also want to change the header/form name, for example the offical Antiforgery repo has an example that uses Angular and changes the header as the standard angular XSRF token header.

In order to use it, add the [ValidateAntiForgeryToken] to controller actions other than GET requests.

You have to do nothing else for standard html forms as long as you use the asp form tag helpers, see this question.

If you use ajax requests, then you will need to include either a header or a field within your request that includes the generated token. You basically need to:

1. Get an IAntiforgery
2. Call var tokenSet = antiforgery.GetAndStoreTokens(httpContext);

3. Make it available to your js code so it knows about the value tokenSet.RequestToken to be included as either a field with name tokenSet.FormFieldName or a header with name tokenSet.HeaderName within each ajax request.

   • A few options for that like rendering the token into a JS object inside a script section in your js layout, adding a JS readable cookie as in the angular example, keep rendering hidden fields you include within the ajax request
   • There is a nice overview of the options in this answer

The aim is for POST/PUT/DELETE/PATCH requests to include 2 things:

• the antiforgery cookie
• the field/header with the token

So the antiforgery middleware can validate there was no XSRF.

---

Update about cookie name/domain

The sensible default is for each application to have its own cookie. You mostly get that with the default approach as no domain is specifically set on the cookie, so the cookie takes the domain from the request. That would mean different cookies for different applications unless the appliacations are hosted with the same domain.

• Read more about how cookies work here

You might only want to share the cookie in special cases, for example if you have 2 applications where a form in app A posts to app B. In those cases make sure you use a domain/subdomain that matches both applications and both use the same cookiea name.

• Read more about XSRF here

这篇关于在ASP.NET Core中使用防伪cookie，但使用非默认CookieName的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！