防伪造标记是为用户QUOT;＆QUOT;但目前用户＆QUOT;用户名＆QUOT; [英] Anti forgery token is meant for user "" but the current user is "username"

问题描述

我建立一个单页的应用程序，并遇到问题与防伪标记。

我知道为什么这个问题发生了，我只是不知道如何解决它。

我得到的错误，当出现以下情况：

1. 非登录用户加载对话框（与所生成的防伪标记）


2. 用户关闭对话框


3. 在用户登录


4. 用户打开同一个对话框


5. 用户提交表单对话框

  

反伪造令牌是为用户，但目前的用户
  用户名

发生这种情况的原因是因为我的应用程序是100％的单页，当用户成功通过Ajax帖子登录 /帐号/ JsonLogin ，我简单切换出当前观点，从服务器，但返回不重新加载页面的身份验证的意见。

我知道这是什么原因，因为如果我简单的重装步骤3和4之间的页面，没有错误。

如此看来， @ Html.AntiForgeryToken（）在加载的形式，直到页面重新加载仍然返回一个标记为老用户。

如何修改 @ Html.AntiForgeryToken（）来返回一个标记为新的，经过验证的用户？

我注入了新的 GenericalPrincipal 使用自定义的的IIdentity 每 Application_AuthenticateRequest 这样的时间 @ Html.AntiForgeryToken（）被称为 HttpContext.Current.User.Identity 是，其实我与 IsAuthenticated 属性设置为true，但自定义标识 @ Html.AntiForgeryToken 似乎仍然呈现令牌对于老用户，除非我做了重新加载页面。

解决方案

这是发生由于防伪标记嵌入用户的用户名作为更好的验证的加密令牌的一部分。当你第一次调用 @ Html.AntiForgeryToken（）的用户没有这样的令牌登录将会对用户名空字符串，在用户登录后，如果您不更换防伪令牌就不能通过验证，因为最初的标记是匿名用户，现在我们有一个已知用户名身份验证的用户。

您有几种选择来解决这个问题：

1 - 就在这个时候让你的SPA做一个完整的POST，当页面重新加载，将有更新的用户名的防伪标记嵌入

2 - 有一个局部视图只是 @ Html.AntiForgeryToken（）并登录之后，做另外一个AJAX请求，并与替换现有的防伪标记响应请求的。

3只禁用的身份检查防伪验证执行。以下内容添加到您的的Application_Start 的方法： AntiForgeryConfig.Sup pressIdentityHeuristicChecks = TRUE

I'm building a single page application and experiencing an issue with anti-forgery tokens.

I know why the issue happens I just don't know how to fix it.

I get the error when the following happens:

1. Non-logged-in user loads a dialog (with a generated anti-forgery token)
2. User closes dialog
3. User logs in
4. User opens the same dialog
5. User submits form in dialog

Anti forgery token is meant for user "" but the current user is "username"

The reason this happens is because my application is 100% single-page, and when a user successfully logs in through an ajax post to /Account/JsonLogin, I simply switch out the current views with the "authenticated views" returned from the server but do not reload the page.

I know this is the reason because if I simple reload the page between steps 3 and 4, there is no error.

So it seems that @Html.AntiForgeryToken() in the loaded form still returns a token for the old user until the page is reloaded.

How can I change @Html.AntiForgeryToken() to return a token for the new, authenticated user?

I inject a new GenericalPrincipal with a custom IIdentity on every Application_AuthenticateRequest so by the time @Html.AntiForgeryToken() gets called HttpContext.Current.User.Identity is, in fact my custom Identity with IsAuthenticated property set to true and yet @Html.AntiForgeryToken still seems to render a token for the old user unless I do a page reload.

解决方案

This is happening because the anti-forgery token embeds the username of the user as part of the encrypted token for better validation. When you first call the @Html.AntiForgeryToken() the user is not logged in so the token will have an empty string for the username, after the user logs in, if you do not replace the anti-forgery token it will not pass validation because the initial token was for anonymous user and now we have an authenticated user with a known username.

You have a few options to solve this problem:

1- Just this time let your SPA do a full POST and when the page reloads it will have an anti-forgery token with the updated username embedded.

2- Have a partial view with just @Html.AntiForgeryToken() and right after logging in, do another AJAX request and replace your existing anti-forgery token with the response of the request.

3- Just disable the identity check the anti-forgery validation performs. Add the following to your Application_Start method: AntiForgeryConfig.SuppressIdentityHeuristicChecks = true.

这篇关于防伪造标记是为用户QUOT;＆QUOT;但目前用户＆QUOT;用户名＆QUOT;的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！