开机自检到Razor页面时出现400错误的请求 [英] 400 Bad Request when POST-ing to Razor Page

问题描述

我的页面有...

@page "{candidateId:int}"

...和

@Html.AntiForgeryToken()

模型有...

public void OnGet(int candidateId)
{

}

public void OnPost(int candidateId)
{

}

GET工作正常.这是我的AJAX请求.

GET works fine. Here is my AJAX request..

$.ajax({
    type: "POST",
    url: "/Skills/" + candidateId,
    beforeSend: function (xhr) {

        xhr.setRequestHeader("XSRF-TOKEN",
            $('input:hidden[name="__RequestVerificationToken"]').val());
    },
    data: {

        name: 'hi mum'
    },

    success: function (response) {
    },
    failure: function (response) {

        alert(response);
    }
});

浏览器收到无用的错误消息... 400错误的请求.

Browser receives useless error message... 400 Bad Request.

我想念什么?

推荐答案

您收到400(错误请求)响应，因为框架希望RequestVerificationToken作为发布的请求的一部分.框架使用此框架来防止可能的CSRF攻击.如果您的请求没有此信息，则框架将返回400错误的请求.您当前的代码未发送.

You are getting a 400 (Bad Request) response because the framework expects the RequestVerificationToken as part of the posted request.The framework uses this to prevent possible CSRF attacks. If your request does not have this information, the framework will return the 400 bad request. Your current code is not sending it.

将代码更改为此

headers:
{
    "RequestVerificationToken": $('input:hidden[name="__RequestVerificationToken"]').val()
},

这会将带有键RequestVerificationToken的新项添加到请求标头中，并且在进行调用时，框架不应抛出400响应. (假设您的视图代码为__RequestVerificationToken隐藏输入生成了隐藏输入)

This will add a new item with key RequestVerificationToken to the request header and the framework should not throw a 400 response when the call is made. (assuming your view code generated the hidden input for the __RequestVerificationToken hidden input)

通过将IAntiforgery实现注入到视图/页面并使用GetAndStoreTokens方法，可以使代码更加健壮.

You can make the code more robust by injecting the IAntiforgery implementation to the view/page and using the GetAndStoreTokens method.

@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
@functions{
public string GetAntiXsrfRequestToken()
{
    return Xsrf.GetAndStoreTokens(Model.HttpContext).RequestToken;
}
}

并调用此GetAntiXsrfRequestToken函数以获取javascript中的值

and call this GetAntiXsrfRequestToken function to get the value in your javascript

headers:
{
    "RequestVerificationToken": '@GetAntiXsrfRequestToken()'
},

您可能还想使用PageModel的CandidateId属性来创建URL.像这样

You also probably want to use the PageModel's CandidateId property to create the url. Something like this

url: "/Skills/@Model.CandidateId",

此外，您确实需要显式调用@Html.AntiForgeryToken()方法以生成令牌输入.拥有带post方法且没有action属性值的表单将为您生成隐藏的输入.

Also, you do need to call @Html.AntiForgeryToken() method explicitly to generate the token input. Having a form with post method with no action attribute value will generate the hidden input for you.

<form method="post">
   <!-- your inputs-->
</form>

这篇关于开机自检到Razor页面时出现400错误的请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！