在 ASP.NET Core 中使用防伪 cookie,但使用非默认 CookieName [英] Using the antiforgery cookie in ASP.NET Core but with a non-default CookieName
问题描述
我正在考虑更改 ASP.NET Core 中默认防伪 cookie 的名称.
I'm thinking about changing name of the default antiforgery cookie in ASP.NET Core.
我之所以要更改 cookie 名称是为了匿名化 cookie,在我看来,最终用户没有理由能够确定该 cookie 的责任.
The reason why I would like to change the cookie name is to anonymize the cookie, in my opinion there is no reason why end users should be able to determine the responsibility of this cookie.
Microsoft.AspNetCore.Antiforgery.AntiforgeryOptions.CookieName
- 如何更改防伪 cookie 的名称?我想它应该以某种方式在 Startup.cs 文件中完成?
- 更改默认防伪 cookie 的名称可能会产生哪些影响?
- 如何在 ASP.NET Core 中使用防伪 cookie?
- 不同的网络应用程序(使用相同的域)应该共享一个防伪 cookie,还是应该为每个网络应用程序创建单独的防伪 cookie?
推荐答案
您可以在 Startup.ConfigureServices 中设置不同的名称,如下所示:
You can set a different name in your Startup.ConfigureServices as in:
services.AddAntiforgery(opts => opts.CookieName = "MyAntiforgeryCookie");
为此使用以下内容:
services.AddAntiforgery(opts => opts.Cookie.Name = "MyAntiforgeryCookie");
默认情况下,AddMvc() 内部调用AddAntiforgery(),这意味着您将获得默认的cookie、标题和表单名称.如果您需要/想要使用不同的名称,您可以通过如上所述手动调用 AddAntiforgery 来实现.
By default AddMvc() internally calls AddAntiforgery(), which means you get the default cookie, header and form names. If you need to/want to use different names, you can do so by manually calling AddAntiforgery as above.
如果您更改 cookie 名称,应该不会对您的应用程序产生任何影响(除非您自己添加了手动使用该 cookie 的代码).您可能还想更改标题/表单名称,例如官方 Antiforgery repo 有一个示例,它使用 Angular 并将标头更改为标准 Angular XSRF 令牌标头.
There should be no implications for your application if you change the cookie name (unless you added code yourself that manually used that cookie). You might also want to change the header/form name, for example the offical Antiforgery repo has an example that uses Angular and changes the header as the standard angular XSRF token header.
为了使用它,请将 [ValidateAntiForgeryToken] 添加到 GET 请求以外的控制器操作中.
In order to use it, add the [ValidateAntiForgeryToken] to controller actions other than GET requests.
只要您使用 asp 表单标签助手,您就不必对标准 html 表单做任何其他事情,请参阅 这个问题.
You have to do nothing else for standard html forms as long as you use the asp form tag helpers, see this question.
如果您使用 ajax 请求,那么您将需要在您的请求中包含一个标头或一个包含生成令牌的字段.你基本上需要:
If you use ajax requests, then you will need to include either a header or a field within your request that includes the generated token. You basically need to:
- 获取
IAntiforgery - 调用
var tokenSet = antiforgery.GetAndStoreTokens(httpContext); 使其可用于您的 js 代码,以便它知道值
tokenSet.RequestToken被包含为名称为tokenSet.FormFieldName的字段或每个 ajax 请求中名称为tokenSet.HeaderName的标头.
- Get an
IAntiforgery - Call
var tokenSet = antiforgery.GetAndStoreTokens(httpContext); Make it available to your js code so it knows about the value
tokenSet.RequestTokento be included as either a field with nametokenSet.FormFieldNameor a header with nametokenSet.HeaderNamewithin each ajax request.
- 一些选项,例如将令牌渲染到 js 布局中脚本部分内的 JS 对象,添加 JS 可读 cookie,如 angular 示例中,继续渲染包含在 ajax 请求中的隐藏字段
- 有一个很好的选项概述 在这个答案中
目标是让 POST/PUT/DELETE/PATCH 请求包含 2 个内容:
The aim is for POST/PUT/DELETE/PATCH requests to include 2 things:
- 防伪 cookie
- 带有令牌的字段/标题
所以防伪中间件可以验证没有 XSRF.
So the antiforgery middleware can validate there was no XSRF.
关于 cookie 名称/域的更新
合理的默认设置是每个应用程序都有自己的 cookie.您通常使用默认方法得到它,因为 cookie 上没有专门设置域,因此 cookie 从请求中获取域.这意味着不同的应用程序使用不同的 cookie,除非应用程序托管在同一个域中.
The sensible default is for each application to have its own cookie. You mostly get that with the default approach as no domain is specifically set on the cookie, so the cookie takes the domain from the request. That would mean different cookies for different applications unless the appliacations are hosted with the same domain.
- 详细了解 Cookie 的工作原理此处李>
您可能只想在特殊情况下共享 cookie,例如,如果您有 2 个应用程序,其中应用程序 A 中的一个表单发布到应用程序 B.在这些情况下,请确保您使用的域/子域与这两个应用程序以及两者都匹配使用相同的 cookie 名称.
You might only want to share the cookie in special cases, for example if you have 2 applications where a form in app A posts to app B. In those cases make sure you use a domain/subdomain that matches both applications and both use the same cookiea name.
- 了解更多关于 XSRF 这里
这篇关于在 ASP.NET Core 中使用防伪 cookie,但使用非默认 CookieName的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
