验证防伪令牌 AngularJS。 X-XSRF-TOKEN header 和 XSRF-TOKEN cookie 设置但得到 400
ValidateAntiForgeryToken AngularJS. X-XSRF-TOKEN header and XSRF-TOKEN cookie set but get 400
任何人都可以帮助我发现我做错了什么,或者建议如何帮助我弄清楚发生了什么吗?
我正在尝试使用 .net core 2.2 和 angular 1.x
实现防伪
我听从了 https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.2
的建议
我正在将 Antiforgery 添加到 Startup.ConfigureServices
public void ConfigureServices(IServiceCollection services)
{
services.AddAntiforgery(options =>
{
options.HeaderName = "X-XSRF-TOKEN";
});
...
并在配置中设置 cookie
public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery)
{
app.Use(next => context =>
{
if (
string.Equals(context.Request.Path.Value, "/", StringComparison.OrdinalIgnoreCase) ||
string.Equals(context.Request.Path.Value, "/index.html", StringComparison.OrdinalIgnoreCase))
{
// We can send the request token as a JavaScript-readable cookie, and Angular will use it by default.
var tokens = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken,
new CookieOptions() { HttpOnly = false });
}
return next(context);
});
我正在装饰控制器
namespace myApp.Controllers
{
[Authorize]
[Route("api/[controller]")]
[AutoValidateAntiforgeryToken]
public class MyController : BaseController {
...
对 api 的调用返回 400(错误请求)
查看请求,我可以看到设置了 Header 和 cookie 值:
POST /api/workorder/Comments HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 98
Accept: application/json, text/plain, */*
Origin: https://localhost
X-XSRF-TOKEN: CfDJ8BCa8m6CvM5GparPYbgIX8FXQjjHjRAiGd9e9COKtDhDUbgE7_X9qgikbPsIyHJeRjuw2y-qHEqTn5YESmw0Gj6ZVf9xXF-TUf_ditqyTuBRpeXr_JTH7Uk18oklltlyHkYwcQ2C3SpOIgqFYyT6to4
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Content-type: application/json
Referer: https://localhost/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: .AspNetCore.Session=CfDJ8BCa8m6CvM5GparPYbgIX8GcURsnOV6r5RkBhFxasg3GeHxhTASIKLGW%2FKbAEe0diH8oX7Vi1JaiKpjHs3k9PAiCsbVFIjF2bketdVNP7XuAk3d4NiCW7xB2bR4CQrubL9E4aoAVVB4tf%2FENL6xRjSWlTxpzywiZ4SHm9%2FLB%2FFd3; ADRUM=s=1575051518681&r=https%3A%2F%2Flocalhost%2F%3F159349506; XSRF-TOKEN=CfDJ8BCa8m6CvM5GparPYbgIX8FXQjjHjRAiGd9e9COKtDhDUbgE7_X9qgikbPsIyHJeRjuw2y-qHEqTn5YESmw0Gj6ZVf9xXF-TUf_ditqyTuBRpeXr_JTH7Uk18oklltlyHkYwcQ2C3SpOIgqFYyT6to4; .AspNetCore.Cookies=CfDJ8BCa8m6CvM5GparPYbgIX8GRcj_GMNMrBD5Dse6ZyfxXHUlF5Ldok61Gtm49-6bEjvFWX7prULqhzvnVSsq_bOoQedsDBIWB11BP2a13ea50u6-QT0ap9j9kTtwXzw-vuZBpiD_N-WIovswE2IQ4MfpG2xuALfjQfVt9g2M_Nv3fhuBJMJnWcs0Oy4XPdDKumJ-pPmB3pvhv6RjeqdKOk_mz8SmU0Pa7-02cXFj9WIq3SbPi1oZy0msgTVpN9HCzbdA2KJJM9oRgsJ_mIN-EqP96WqVYT7SqoQBp2rGk7V-SOxGVSncQ5-j6s6vcL2oURFfyI3Cqz89DNL_lmddf-iJg4uPBcL6qP_2e12k89NHuv0c3F9XIQ9cT8fAfdjUurSpb4PrxrYVs4eSMAyecgWSmvIinCdXdzJUTM4mGKXd4ySwvHCFnL0xgJpuIWH-V4EmP5qsMexfiFAD80xiu2387PrEqLgmA0XGJEM-TEikbr5JQPy-gmxZLTq2sgUofc67v_vzJurdqojgseNw_ZrWke0bn9dSxFakgD7URFcIBeaeIkzTL0mqc_43j3xWUgfi-mpIQtL4Zo4OF_aIh2YQncRWgS5uBZ6RAwN2PnJJy_UoiFU37Adw_5pjqW4kfNQ8pxr1n7MRiPe6yB45qAE6dyGFpvrJ8pWOF5h3mxEz1q7zd4Mo5tcZeBpUooGwkyM5gMx0aSW4wcAL8dYzgMwY-gYDcMD4HJ3-XciFoP6Q0iycpfecQAGbPMfjxNnS0XdAP2bXbYklPcx7D0PL0onMkreBqlliU8oDjCmub-avPLcOB_LMzVn6aUy8_bwv7Qmx4PMPHG27PSEGLuhFu8AdmxfTZOHHtD2OvbIgGbIpodNTTK6Zg7dM6oKBM8RCUa3QszhszBIFaPgz4aGCeCfCLc1-FKujMbOhM3KjgRqkQ_-0ahr2JGEtLNbjx-0QhiJNvR6dDqCAWRQGxbwe-fc1N1CerDa1I_OW2aE8uwgAniPlSu0gCixutaonF5td8MeKe4O4538iHEg4VbcGwr2i6FSP4uTYPfZ3pQ1TBLB1aBRtT2mzFuaNZoPWhpxdnQFDvB1R4riy--364vWD7SygiQx9aLdVQ-ds2JY-wi0Dx0VyOP0csZ1NvBnrqOj7IPQWLrclHf1S3qokFwSV6ynqEf0iWvuUgES1PfsvN2xP4ESKT5CJPvS-9iMem9mmBGaT7P6vFDaknDpFy640wKNLRREgVCK7ByVNEF7qGmaPTPu21H08WIDwtt4Rmut8zEQ1-DaAOe2BWUKzL8Y9OR_cgcMIfL6ZjergoeYowNucNx5hw1v-h67XpQpDETNiD-me8NKxhnuEgRLFo4_sZOjwPQM5qi4ROw0x2I_GxKV9M-MAd5Z_YlbVUxO3PLxYSg2GqGNl8UR4fFQZrTeKZUu-dM8gy05CK-ULfFkdQAc_afwRPGptqc-Q0PpfQE4Be4Q; .AspNetCore.Antiforgery.EsC6NJJg3sg=CfDJ8BCa8m6CvM5GparPYbgIX8GfDalyGMrWa5wwuF0ZcWmHkAfzmHxl2IK7BOBoQWvXmTcq_I7t0a0vCdVfd97--Sj1Dv8v53dg--LHPU9UKz3YBG0MgV_dfvtShz7_7TYbeAdDLtQqAStRwFdCOdSyick
非常感谢您的帮助 - 我已经为此花了一天多的时间,这让我抓狂!
我的猜测是您将 asp.net 缓解 csrf 预防的核心机制与 angular 的方法混合在一起!
忘记 angular 并设置 header 名称 X-XSRF-TOKEN
和 cookie 名称 XSRF-REQUEST-TOKEN
。
然后为 post 请求编写一个拦截器以读取该 cookie 并发送一个额外的 header 用于名称为 X-XSRF-TOKEN
.
的请求
您可以在此处找到样本:
https://www.blinkingcaret.com/2018/11/29/asp-net-core-web-api-antiforgery/
任何人都可以帮助我发现我做错了什么,或者建议如何帮助我弄清楚发生了什么吗?
我正在尝试使用 .net core 2.2 和 angular 1.x
实现防伪我听从了 https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.2
的建议我正在将 Antiforgery 添加到 Startup.ConfigureServices
public void ConfigureServices(IServiceCollection services)
{
services.AddAntiforgery(options =>
{
options.HeaderName = "X-XSRF-TOKEN";
});
...
并在配置中设置 cookie
public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery)
{
app.Use(next => context =>
{
if (
string.Equals(context.Request.Path.Value, "/", StringComparison.OrdinalIgnoreCase) ||
string.Equals(context.Request.Path.Value, "/index.html", StringComparison.OrdinalIgnoreCase))
{
// We can send the request token as a JavaScript-readable cookie, and Angular will use it by default.
var tokens = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken,
new CookieOptions() { HttpOnly = false });
}
return next(context);
});
我正在装饰控制器
namespace myApp.Controllers
{
[Authorize]
[Route("api/[controller]")]
[AutoValidateAntiforgeryToken]
public class MyController : BaseController {
...
对 api 的调用返回 400(错误请求)
查看请求,我可以看到设置了 Header 和 cookie 值:
POST /api/workorder/Comments HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 98
Accept: application/json, text/plain, */*
Origin: https://localhost
X-XSRF-TOKEN: CfDJ8BCa8m6CvM5GparPYbgIX8FXQjjHjRAiGd9e9COKtDhDUbgE7_X9qgikbPsIyHJeRjuw2y-qHEqTn5YESmw0Gj6ZVf9xXF-TUf_ditqyTuBRpeXr_JTH7Uk18oklltlyHkYwcQ2C3SpOIgqFYyT6to4
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Content-type: application/json
Referer: https://localhost/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: .AspNetCore.Session=CfDJ8BCa8m6CvM5GparPYbgIX8GcURsnOV6r5RkBhFxasg3GeHxhTASIKLGW%2FKbAEe0diH8oX7Vi1JaiKpjHs3k9PAiCsbVFIjF2bketdVNP7XuAk3d4NiCW7xB2bR4CQrubL9E4aoAVVB4tf%2FENL6xRjSWlTxpzywiZ4SHm9%2FLB%2FFd3; ADRUM=s=1575051518681&r=https%3A%2F%2Flocalhost%2F%3F159349506; XSRF-TOKEN=CfDJ8BCa8m6CvM5GparPYbgIX8FXQjjHjRAiGd9e9COKtDhDUbgE7_X9qgikbPsIyHJeRjuw2y-qHEqTn5YESmw0Gj6ZVf9xXF-TUf_ditqyTuBRpeXr_JTH7Uk18oklltlyHkYwcQ2C3SpOIgqFYyT6to4; .AspNetCore.Cookies=CfDJ8BCa8m6CvM5GparPYbgIX8GRcj_GMNMrBD5Dse6ZyfxXHUlF5Ldok61Gtm49-6bEjvFWX7prULqhzvnVSsq_bOoQedsDBIWB11BP2a13ea50u6-QT0ap9j9kTtwXzw-vuZBpiD_N-WIovswE2IQ4MfpG2xuALfjQfVt9g2M_Nv3fhuBJMJnWcs0Oy4XPdDKumJ-pPmB3pvhv6RjeqdKOk_mz8SmU0Pa7-02cXFj9WIq3SbPi1oZy0msgTVpN9HCzbdA2KJJM9oRgsJ_mIN-EqP96WqVYT7SqoQBp2rGk7V-SOxGVSncQ5-j6s6vcL2oURFfyI3Cqz89DNL_lmddf-iJg4uPBcL6qP_2e12k89NHuv0c3F9XIQ9cT8fAfdjUurSpb4PrxrYVs4eSMAyecgWSmvIinCdXdzJUTM4mGKXd4ySwvHCFnL0xgJpuIWH-V4EmP5qsMexfiFAD80xiu2387PrEqLgmA0XGJEM-TEikbr5JQPy-gmxZLTq2sgUofc67v_vzJurdqojgseNw_ZrWke0bn9dSxFakgD7URFcIBeaeIkzTL0mqc_43j3xWUgfi-mpIQtL4Zo4OF_aIh2YQncRWgS5uBZ6RAwN2PnJJy_UoiFU37Adw_5pjqW4kfNQ8pxr1n7MRiPe6yB45qAE6dyGFpvrJ8pWOF5h3mxEz1q7zd4Mo5tcZeBpUooGwkyM5gMx0aSW4wcAL8dYzgMwY-gYDcMD4HJ3-XciFoP6Q0iycpfecQAGbPMfjxNnS0XdAP2bXbYklPcx7D0PL0onMkreBqlliU8oDjCmub-avPLcOB_LMzVn6aUy8_bwv7Qmx4PMPHG27PSEGLuhFu8AdmxfTZOHHtD2OvbIgGbIpodNTTK6Zg7dM6oKBM8RCUa3QszhszBIFaPgz4aGCeCfCLc1-FKujMbOhM3KjgRqkQ_-0ahr2JGEtLNbjx-0QhiJNvR6dDqCAWRQGxbwe-fc1N1CerDa1I_OW2aE8uwgAniPlSu0gCixutaonF5td8MeKe4O4538iHEg4VbcGwr2i6FSP4uTYPfZ3pQ1TBLB1aBRtT2mzFuaNZoPWhpxdnQFDvB1R4riy--364vWD7SygiQx9aLdVQ-ds2JY-wi0Dx0VyOP0csZ1NvBnrqOj7IPQWLrclHf1S3qokFwSV6ynqEf0iWvuUgES1PfsvN2xP4ESKT5CJPvS-9iMem9mmBGaT7P6vFDaknDpFy640wKNLRREgVCK7ByVNEF7qGmaPTPu21H08WIDwtt4Rmut8zEQ1-DaAOe2BWUKzL8Y9OR_cgcMIfL6ZjergoeYowNucNx5hw1v-h67XpQpDETNiD-me8NKxhnuEgRLFo4_sZOjwPQM5qi4ROw0x2I_GxKV9M-MAd5Z_YlbVUxO3PLxYSg2GqGNl8UR4fFQZrTeKZUu-dM8gy05CK-ULfFkdQAc_afwRPGptqc-Q0PpfQE4Be4Q; .AspNetCore.Antiforgery.EsC6NJJg3sg=CfDJ8BCa8m6CvM5GparPYbgIX8GfDalyGMrWa5wwuF0ZcWmHkAfzmHxl2IK7BOBoQWvXmTcq_I7t0a0vCdVfd97--Sj1Dv8v53dg--LHPU9UKz3YBG0MgV_dfvtShz7_7TYbeAdDLtQqAStRwFdCOdSyick
非常感谢您的帮助 - 我已经为此花了一天多的时间,这让我抓狂!
我的猜测是您将 asp.net 缓解 csrf 预防的核心机制与 angular 的方法混合在一起!
忘记 angular 并设置 header 名称 X-XSRF-TOKEN
和 cookie 名称 XSRF-REQUEST-TOKEN
。
然后为 post 请求编写一个拦截器以读取该 cookie 并发送一个额外的 header 用于名称为 X-XSRF-TOKEN
.
您可以在此处找到样本:
https://www.blinkingcaret.com/2018/11/29/asp-net-core-web-api-antiforgery/