AntiForgeryToken到期空白页 [英] AntiForgeryToken Expiration Blank Page
问题描述
我正在将IdentityServer4与ASP.NET Core 2.2一起使用.在Post Login方法上,我应用了ValidateAntiForgeryToken.通常,在坐在登录页面上20分钟到2个小时之后,尝试登录时会生成空白页面.
I'm using IdentityServer4 with ASP.NET Core 2.2. On the Post Login method I have applied the ValidateAntiForgeryToken. Generally after 20 minutes to 2 hours of sitting on the login page and then attempting to login it produces a blank page.
如果您查看Postman Console,则会收到一条400错误的请求消息.然后,我将AntiForgery选项上的Cookie有效期设置为90天.我能够让该页面坐满6个小时,并且仍然可以登录.但是,大约8个小时(过夜)后,尝试登录后我又收到了空白页.
If you look at Postman Console you get a 400 Bad Request message. I then set the Cookie Expiration on the AntiForgery options to 90 days. I was able to allow the page to sit for up to 6 hours and still login. However, after around 8 hours (overnight), I received the blank page again after attempting to login.
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login
services.AddAntiforgery(options =>
{
options.Cookie.Expiration = TimeSpan.FromDays(90);
});
我希望能够在登录页面上停留90天,这是cookie的持续时间,但这是行不通的.如何获得AntiforgeryToken的cookie可以持续整整90天或我设置的任何时间,而不是超时或过期?有没有办法捕获此错误并将用户重定向回登录方法?
I expect to be able to sit on the login page for 90 days which is the duration of the cookie but that doesn't work. How do I get the cookie for the AntiforgeryToken to last the entire 90 days or whatever time I set it to and not timeout or expire? Is there a way to catch this error and redirect the user back to the login method?
推荐答案
另一个使用默认实现的实现,包括所有预检查,日志记录等.它仍然是AuthorizationFilter
,因此可以防止进一步执行操作.唯一的不同是,它触发HttpGet
到相同的URL而不是默认的400响应,这是一种 Post/Redirect/Get 模式实现.
Yet another implementation using the default one including all prechecks, logging etc. And it's still an AuthorizationFilter
, so that prevents any further action execution. The only difference is that it triggers HttpGet
to the same url instead of the default 400 response, a kind of the Post/Redirect/Get pattern implementation.
public class AnotherAntiForgeryTokenAttribute : TypeFilterAttribute
{
public AnotherAntiForgeryTokenAttribute() : base(typeof(AnotherAntiforgeryFilter))
{
}
}
public class AnotherAntiforgeryFilter:ValidateAntiforgeryTokenAuthorizationFilter,
IAsyncAuthorizationFilter
{
public AnotherAntiforgeryFilter(IAntiforgery a, ILoggerFactory l) : base(a, l)
{
}
async Task IAsyncAuthorizationFilter.OnAuthorizationAsync(
AuthorizationFilterContext ctx)
{
await base.OnAuthorizationAsync(ctx);
if (ctx.Result is IAntiforgeryValidationFailedResult)
{
// the next four rows are optional, just illustrating a way
// to save some sensitive data such as initial query
// the form has to support that
var request = ctx.HttpContext.Request;
var url = request.Path.ToUriComponent();
if (request.Form?["ReturnUrl"].Count > 0)
url = $"{url}?ReturnUrl={Uri.EscapeDataString(request.Form?["ReturnUrl"])}";
// and the following is the only real customization
ctx.Result = new LocalRedirectResult(url);
}
}
}
这篇关于AntiForgeryToken到期空白页的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!