ValidateAntiforgeryToken 不适用于 ASP.NET MVC 中的 Ajax
ValidateAntiforgeryToken not working with Ajax in ASP.NET MVC
有这个观点:
@using (Html.BeginForm(null, null, FormMethod.Post, new { id = "__AjaxAntiForgeryForm" }))
{
@Html.AntiForgeryToken()
<div id='calendar'></div>
<script src="~/Scripts/Services/Agenda.js" type="text/javascript"></script>
}
执行如下两行JS代码:
let form = $('#__AjaxAntiForgeryForm');
let token = $('input[name="__RequestVerificationToken"]', form).val();
然后调用这个函数:
function dbUpdate(data, startTime, title) {
let evento = JSON.stringify({
'Data': data,
'StartTime': startTime,
'Title': title,
'__RequestVerificationToken': token
});
$.ajax({
type: "POST",
url: 'Agenda/DbUpdate',
data: evento,
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function (response) {
console.log("Response");
},
complete: function () {
console.log("After");
},
failure: function (jqXHR, textStatus, errorThrown) {
alert("HTTP Status: " + jqXHR.status + "; Error Text: " + jqXHR.responseText); // Display error message
}
});
}
- Json 生成的示例:
{
"Data":"2020-0105T03:00:00.000Z",
"StartTime":"8",
"Title":"Sdf",
"__RequestVerificationToken":"IMBfPM4YPyslt_89W6Kfu_Nmy6OW2-8I4n3fp42Figy__2gid3wY8gMC-
glB2o3Y6v6TCEG18nZXRPfLltU2RpOvoy-rMFIyo-uPA2XL4JcFF1aJfXix6RWkTI5l6Ewqhyu5jSQnszEOre2ZP-az3Q2"
}
控制器是:
[HttpPost]
[AjaxAuthorize]
[ValidateAntiForgeryToken]
public async Task<JsonResult> DbUpdate(AgendaEvent compromisso)
{
...
return Json("ok");
}
和 AgendaEvent class:
public DateTime Data { get; set; }
public string StartTime { get; set; }
public string Title { get; set; }
public string __RequestVerificationToken { get; set; }
请注意,如果我制作 class 而没有 __RequestVerificationToken,则为:
public DateTime Data { get; set; }
public string StartTime { get; set; }
public string Title { get; set; }
我收到错误 404。
但是令牌,即使存在于传递的数据中,也未经过验证。
怎么了?
根据 lordvlad30 的建议,错误是由于行:
let evento = JSON.stringify({
'Data': data,
'StartTime': startTime,
'Title': title,
'__RequestVerificationToken': token
});
具体来说,它不应该有 JSON.stringify() 语句。因此,正确的是:
let evento = {
'Data': data,
'StartTime': startTime,
'Title': title,
'__RequestVerificationToken': token
};
一切正常!
有这个观点:
@using (Html.BeginForm(null, null, FormMethod.Post, new { id = "__AjaxAntiForgeryForm" }))
{
@Html.AntiForgeryToken()
<div id='calendar'></div>
<script src="~/Scripts/Services/Agenda.js" type="text/javascript"></script>
}
执行如下两行JS代码:
let form = $('#__AjaxAntiForgeryForm');
let token = $('input[name="__RequestVerificationToken"]', form).val();
然后调用这个函数:
function dbUpdate(data, startTime, title) {
let evento = JSON.stringify({
'Data': data,
'StartTime': startTime,
'Title': title,
'__RequestVerificationToken': token
});
$.ajax({
type: "POST",
url: 'Agenda/DbUpdate',
data: evento,
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function (response) {
console.log("Response");
},
complete: function () {
console.log("After");
},
failure: function (jqXHR, textStatus, errorThrown) {
alert("HTTP Status: " + jqXHR.status + "; Error Text: " + jqXHR.responseText); // Display error message
}
});
}
- Json 生成的示例:
{
"Data":"2020-0105T03:00:00.000Z",
"StartTime":"8",
"Title":"Sdf",
"__RequestVerificationToken":"IMBfPM4YPyslt_89W6Kfu_Nmy6OW2-8I4n3fp42Figy__2gid3wY8gMC-
glB2o3Y6v6TCEG18nZXRPfLltU2RpOvoy-rMFIyo-uPA2XL4JcFF1aJfXix6RWkTI5l6Ewqhyu5jSQnszEOre2ZP-az3Q2"
}
控制器是:
[HttpPost]
[AjaxAuthorize]
[ValidateAntiForgeryToken]
public async Task<JsonResult> DbUpdate(AgendaEvent compromisso)
{
...
return Json("ok");
}
和 AgendaEvent class:
public DateTime Data { get; set; }
public string StartTime { get; set; }
public string Title { get; set; }
public string __RequestVerificationToken { get; set; }
请注意,如果我制作 class 而没有 __RequestVerificationToken,则为:
public DateTime Data { get; set; }
public string StartTime { get; set; }
public string Title { get; set; }
我收到错误 404。
但是令牌,即使存在于传递的数据中,也未经过验证。
怎么了?
根据 lordvlad30 的建议,错误是由于行:
let evento = JSON.stringify({
'Data': data,
'StartTime': startTime,
'Title': title,
'__RequestVerificationToken': token
});
具体来说,它不应该有 JSON.stringify() 语句。因此,正确的是:
let evento = {
'Data': data,
'StartTime': startTime,
'Title': title,
'__RequestVerificationToken': token
};
一切正常!