MVC3 AntiForgeryToken问题 [英] MVC3 AntiForgeryToken Issue

问题描述

我想实现AntiForgeryToken我MVC3应用。我设置FormAuthentication饼干后无法正常使用AntiForgeryToken一个问题。下面是一个简单的例子，这也解释了我的问题。

I am trying to implement AntiForgeryToken for my MVC3 Application. I am having a problem with AntiForgeryToken after setting FormAuthentication cookie. Here is a simple example which explains my problem.

我家控制器，具有以下的操作方法：

I have home controller with following action methods:

public class HomeController : Controller
{
    public ActionResult Logon()
    {
        return View();
    }

    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult Logon(string userName, string password)
    {
        FormsAuthentication.SetAuthCookie(userName, false);
        return View("About");
    }


    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult About(FormCollection form)
    {
        return View("PageA");
    }
 }

这是我的登录和关于视图：

And here is my Logon and About views:

Logon.cshtml：

Logon.cshtml:

   @using (Html.BeginForm("Logon", "Home"))
   {

    @Html.AntiForgeryToken()

    <label> UserName :</label>
    <input  name = "userName" type="text"/>
    <br />
    <label> Password :</label>
    <input name = "password" type="password"/>
    <br />
    <br />
    <input type="submit" value="LogOn" />

   }

About.cshtml

About.cshtml

@using (Html.BeginForm("About", "Home"))
{

    @Html.AntiForgeryToken()
    <p> This is conent of page About</p>
    <input  name = "moreInfo" type="text"/>

    <input type="submit" value="SubmitAbout" />
}

我对登录后法没有问题。据验证antiforgerytoken和渲染关于视图。有趣的是，当我发布的关于查看我收到错误需要的防伪标记不提供或无效

I have no problem on "Logon" post method. It is validating the antiforgerytoken and rendering About view. Interestingly, when I do post on "About" view I am getting error "A required anti-forgery token was not supplied or was invalid"

能有人指出我在做什么错在这里？

could some one point out what I am doing wrong here?

鸭preciate你的帮助。

Appreciate your help.

推荐答案

我做了一些测试，并确定你调用即使 FormsAuthentication.SetAuthCookie（...） ，问题是， httpContext.User.Identity.Name 将仍然是空的请求的持续时间。

I did some tests, and determined that even after you call FormsAuthentication.SetAuthCookie(...), the problem is that httpContext.User.Identity.Name will still be empty for the duration of the request.

因此​​，要解决这个问题，你需要手动设置当前用户像这样：

Therefore, to solve this issue, you need to manually set the current User as so:

FormsAuthentication.SetAuthCookie(email, true);
this.HttpContext.User = new GenericPrincipal(new GenericIdentity(email), null);

这将设置正确的用户，用于当 Html.AntiForgeryToken（）被称为

This will set the correct User that is used when Html.AntiForgeryToken() is called.

请注意，这code是没有必要的正常PRG-模式的网站，因为经过重定向，正确的用户将被载入。

Please note that this code isn't necessary for normal PRG-pattern websites, because after the redirect, the correct User will be loaded.

此外，由于你的登录方法需要一个有效的用户名和密码，它是不是真的容易受到CSRF攻击，所以你可能并不需要使用 ValidateAntiForgeryToken 上的方法。也许这就是为什么AntiForgeryToken取决于用户名。 CSRF攻击通常只能利用已认证用户。

Also, since your Logon method requires a valid user name and password, it isn't really susceptible to CSRF attacks, so you probably don't need to use ValidateAntiForgeryToken on that method. Maybe that's why the AntiForgeryToken is dependent on the user name. CSRF attacks usually only exploit already-authenticated users.

这篇关于MVC3 AntiForgeryToken问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！