AntiForgeryToken到期空白页 [英] AntiForgeryToken Expiration Blank Page

问题描述

我正在将IdentityServer4与ASP.NET Core 2.2一起使用.在Post Login方法上，我应用了ValidateAntiForgeryToken.通常，在坐在登录页面上20分钟到2个小时之后，尝试登录时会生成空白页面.

I'm using IdentityServer4 with ASP.NET Core 2.2. On the Post Login method I have applied the ValidateAntiForgeryToken. Generally after 20 minutes to 2 hours of sitting on the login page and then attempting to login it produces a blank page.

如果您查看Postman Console，则会收到一条400错误的请求消息.然后，我将AntiForgery选项上的Cookie有效期设置为90天.我能够让该页面坐满6个小时，并且仍然可以登录.但是，大约8个小时(过夜)后，尝试登录后我又收到了空白页.

If you look at Postman Console you get a 400 Bad Request message. I then set the Cookie Expiration on the AntiForgery options to 90 days. I was able to allow the page to sit for up to 6 hours and still login. However, after around 8 hours (overnight), I received the blank page again after attempting to login.

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login

services.AddAntiforgery(options =>
{
    options.Cookie.Expiration = TimeSpan.FromDays(90);
});

我希望能够在登录页面上停留90天，这是cookie的持续时间，但这是行不通的.如何获得AntiforgeryToken的cookie可以持续整整90天或我设置的任何时间，而不是超时或过期?有没有办法捕获此错误并将用户重定向回登录方法?

I expect to be able to sit on the login page for 90 days which is the duration of the cookie but that doesn't work. How do I get the cookie for the AntiforgeryToken to last the entire 90 days or whatever time I set it to and not timeout or expire? Is there a way to catch this error and redirect the user back to the login method?

推荐答案

另一个使用默认实现的实现，包括所有预检查，日志记录等.它仍然是AuthorizationFilter，因此可以防止进一步执行操作.唯一的不同是，它触发HttpGet到相同的URL而不是默认的400响应，这是一种 Post/Redirect/Get 模式实现.

Yet another implementation using the default one including all prechecks, logging etc. And it's still an AuthorizationFilter, so that prevents any further action execution. The only difference is that it triggers HttpGet to the same url instead of the default 400 response, a kind of the Post/Redirect/Get pattern implementation.

public class AnotherAntiForgeryTokenAttribute : TypeFilterAttribute
{
    public AnotherAntiForgeryTokenAttribute() : base(typeof(AnotherAntiforgeryFilter))
    {
    }
}


public class AnotherAntiforgeryFilter:ValidateAntiforgeryTokenAuthorizationFilter,
    IAsyncAuthorizationFilter
{
    public AnotherAntiforgeryFilter(IAntiforgery a, ILoggerFactory l) : base(a, l)
    {
    }

    async Task IAsyncAuthorizationFilter.OnAuthorizationAsync(
        AuthorizationFilterContext ctx)
    {
        await base.OnAuthorizationAsync(ctx);

        if (ctx.Result is IAntiforgeryValidationFailedResult)
        {
            // the next four rows are optional, just illustrating a way
            // to save some sensitive data such as initial query
            // the form has to support that
            var request = ctx.HttpContext.Request;
            var url = request.Path.ToUriComponent();
            if (request.Form?["ReturnUrl"].Count > 0)
                url = $"{url}?ReturnUrl={Uri.EscapeDataString(request.Form?["ReturnUrl"])}";

            // and the following is the only real customization
            ctx.Result = new LocalRedirectResult(url);
        }
    }
}

这篇关于AntiForgeryToken到期空白页的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！