发送 HTTP 标头后服务器无法附加标头 @Html.AntiForgery 处的异常 [英] Server Cannot Append Header After HTTP headers have been sent Exception at @Html.AntiForgery

问题描述

我正在开发一个 asp.net mvc 5 应用程序，我试图通过应用以下代码重定向到 ReturnUrl:

I'm developing an asp.net mvc 5 application in which I was trying to redirect to the ReturnUrl by applying the code below :

[HttpPost]
[AllowAnonymous]
public ActionResult Login(UserLogin model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        string EncryptedPassword = GetMD5(model.Password);
        if (DataAccess.DAL.UserIsValid(model.Username, EncryptedPassword))
        {
            FormsAuthentication.SetAuthCookie(model.Username, true);
            if (String.IsNullOrEmpty(returnUrl))
            {
                return RedirectToAction("Index", "Home");
            }
            else
            {
                Response.Redirect(returnUrl);
            }
        }
        else
        {
            ModelState.AddModelError("", "Invalid Username or Password");
        }
    }
    return View();
}

上面的代码工作正常，但问题是当我发布登录表单时，它给了我一个我以前从未遇到过的异常，我在解决视图中生成的异常时遇到了困难Login.cshtml，在线:

The above code is working fine, But the problem is that when I Post the login form, it gives me an Exception that I've never faced Before and I'm having difficulties resolving the exception that is generating in the view in Login.cshtml, At Line :

@Html.AntiForgeryToken()

以及它抛出的异常:

发送 HTTP 标头后，服务器无法附加标头.

Server cannot append header after HTTP headers have been sent.

我已经研究了很多，但我无法得出结论.当我删除 @Html.AntiForgeryToken() 行时，我的应用程序工作正常，但我不想这样做，我希望我的应用程序保持跨站点请求保护.

I've researched a lot but I'm unable to get to the conclusion. My application works fine when I remove @Html.AntiForgeryToken() line, But I don't want to do this, I want my application to remain cross-site request protected.

任何人都可以帮助我，我如何摆脱这个异常?

Can Anyone Please Help me out, How do I get rid of this Exception?

推荐答案

当 Response.Redirect(anyUrl) 状态码设置为 302 时，header 将添加到响应中:

When Response.Redirect(anyUrl) the status code is set to 302, and the header will added to the response :

HTTP 1.0 302 Object Moved 
Location: http://anyurl.com

当 ViewResult 被执行并且 razor 渲染视图时 Html.AntiForgeryToken() 将调用，所以帮助程序尝试添加标题 X-Frame-Options 和一些 cookie 到响应，这是异常的原因.

And when ViewResult is executed and razor render the view the Html.AntiForgeryToken() will called, so the helper tries to add the header X-Frame-Options and some cookies to the response, it is the cause of the exception.

但是不用担心你可以抑制X-Frame-Options头的添加，只要把这个AntiForgeryConfig.SuppressXFrameOptionsHeader = true;放在Application_start.

But don't worry you can suppress the addition of X-Frame-Options header, just put this AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in the Application_start.

但我建议你改变这个:

Response.Redirect(returnUrl);

到

return Redirect(returnUrl);

注意

自从 .NET 代码打开后，您可以看到 AntiForgeryToken 的工作原理，请参见此处 AntiForgeryWorker.

Since .NET code was opened you can see how the AntiForgeryToken works, see here AntiForgeryWorker.

这篇关于发送 HTTP 标头后服务器无法附加标头 @Html.AntiForgery 处的异常的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！