故障排除防伪标记问题 [英] Troubleshooting anti-forgery token problems

问题描述

我有一个表格后，始终给了我一个防伪标记错误。

I have a form post that consistently gives me an anti-forgery token error.

下面是我的方式：

@using (Html.BeginForm())
{
    @Html.AntiForgeryToken()
    @Html.EditorFor(m => m.Email)
    @Html.EditorFor(m => m.Birthday)
    <p>
        <input type="submit" id="Go" value="Go" />
    </p>
}

下面是我的操作方法：

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Join(JoinViewModel model)
{
    //a bunch of stuff here but it doesn't matter because it's not making it here
}

下面是的machineKey在web.config中：

Here is the machineKey in web.config:

<system.web>
  <machineKey validationKey="mykey" decryptionKey="myotherkey" validation="SHA1" decryption="AES" />
</system.web>

和以下是错误我得到：

A required anti-forgery token was not supplied or was invalid.

我读过，改变用户对HttpContext的将令牌无效的，但这不是发生在这里。在我加入行动HTTPGET只是返回的观点：

I've read that changing users on the HttpContext will invalidate the token, but this isn't happening here. The HttpGet on my Join action just returns the view:

[HttpGet]
public ActionResult Join()
{
    return this.View();
}

所以我不知道发生了什么事。我四处搜寻，一切似乎表明，它或者改变的machineKey（应用程序循环）或用户/会话改变。

So I'm not sure what's going on. I've searched around, and everything seems to suggest that it's either the machineKey changing (app cycles) or the user/session changing.

还有什么可怎么回事？我该如何解决这个？

What else could be going on? How can I troubleshoot this?

推荐答案

从亚当的帮助后，我得到的MVC源添加到我的项目，并能够看到有这导致了同样的错误很多情况下。

After help from Adam, I get the MVC source added to my project, and was able to see there are many cases that result in the same error.

下面是用来验证防伪造标记方法：

Here is the method used to validate the anti forgery token:

    public void Validate(HttpContextBase context, string salt) {
        Debug.Assert(context != null);

        string fieldName = AntiForgeryData.GetAntiForgeryTokenName(null);
        string cookieName = AntiForgeryData.GetAntiForgeryTokenName(context.Request.ApplicationPath);

        HttpCookie cookie = context.Request.Cookies[cookieName];
        if (cookie == null || String.IsNullOrEmpty(cookie.Value)) {
            // error: cookie token is missing
            throw CreateValidationException();
        }
        AntiForgeryData cookieToken = Serializer.Deserialize(cookie.Value);

        string formValue = context.Request.Form[fieldName];
        if (String.IsNullOrEmpty(formValue)) {
            // error: form token is missing
            throw CreateValidationException();
        }
        AntiForgeryData formToken = Serializer.Deserialize(formValue);

        if (!String.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal)) {
            // error: form token does not match cookie token
            throw CreateValidationException();
        }

        string currentUsername = AntiForgeryData.GetUsername(context.User);
        if (!String.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase)) {
            // error: form token is not valid for this user
            // (don't care about cookie token)
            throw CreateValidationException();
        }

        if (!String.Equals(salt ?? String.Empty, formToken.Salt, StringComparison.Ordinal)) {
            // error: custom validation failed
            throw CreateValidationException();
        }
    }

我的问题是它身份的用户名与窗体令牌的用户名进行比较的情况。对我来说，我没有足够的用户名设置（一个为空，另一个是空字符串）。

My problem was that condition where it compares the Identity user name with the form token's user name. In my case, I didn't have the user name set (one was null, the other was an empty string).

虽然我怀疑很多人会遇到这种相同的情况下，希望别人会发现它有用看到正在检查基本条件。

While I doubt many will run into this same scenario, hopefully others will find it useful seeing the underlying conditions that are being checked.

这篇关于故障排除防伪标记问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！