cookie 过期后从 Identity 注销会导致 http 错误 400
Logging out from Identity after cookie has expired causes http error 400
在我的 _LoginPartial.cshtml 中,我有这个注销按钮:
<form id="logoutForm" class="form-inline" asp-area="Identity" asp-page="/Account/Logout" asp-route-returnUrl="@Url.Action("Index", "", new { area = "" })">
<button id="logout" type="submit">
Log out
</button>
</form>
然后,据我所知,Logout.cshtml.cs 被称为:
public class LogoutModel : PageModel
{
private readonly SignInManager<ApplicationUser> _signInManager;
private readonly ILogger<LogoutModel> _logger;
public LogoutModel(SignInManager<ApplicationUser> signInManager, ILogger<LogoutModel> logger)
{
_signInManager = signInManager;
_logger = logger;
}
public void OnGet()
{
}
public async Task<IActionResult> OnPost(string returnUrl = null)
{
await _signInManager.SignOutAsync();
_logger.LogInformation("User logged out.");
if (returnUrl != null)
{
return LocalRedirect(returnUrl);
}
else
{
return RedirectToPage();
}
}
}
但是如果当用户按下 "Log out" 时用户会话 cookie 已过期,我会收到以下描述性错误消息:
HTTP ERROR 400
在 Logout.cshtml.cs 中任意位置设置的任何断点都不会命中。
发生了什么事?
if the user session cookie has expired when the user presses "Log out", I get this descriptive error message:
HTTP ERROR 400
Any breakpoints set anywhere in Logout.cshtml.cs is never hit.
据我们所知,Razor Pages 会自动受到 XSRF/CSRF 的保护。而客户端用户发送给服务器的防伪令牌(与当前用户的身份相关联)如果当前用户的身份验证过期会导致验证失败,从而导致上述错误。
要修复上述错误,您可以将 IgnoreAntiforgeryToken 属性应用于 LogoutModel class,如下所示。
[AllowAnonymous]
[IgnoreAntiforgeryToken]
public class LogoutModel : PageModel
{
您可以从以下文档中获取有关“防止跨站请求伪造 (XSRF/CSRF) 攻击”的详细信息:
https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1
在我的 _LoginPartial.cshtml 中,我有这个注销按钮:
<form id="logoutForm" class="form-inline" asp-area="Identity" asp-page="/Account/Logout" asp-route-returnUrl="@Url.Action("Index", "", new { area = "" })">
<button id="logout" type="submit">
Log out
</button>
</form>
然后,据我所知,Logout.cshtml.cs 被称为:
public class LogoutModel : PageModel
{
private readonly SignInManager<ApplicationUser> _signInManager;
private readonly ILogger<LogoutModel> _logger;
public LogoutModel(SignInManager<ApplicationUser> signInManager, ILogger<LogoutModel> logger)
{
_signInManager = signInManager;
_logger = logger;
}
public void OnGet()
{
}
public async Task<IActionResult> OnPost(string returnUrl = null)
{
await _signInManager.SignOutAsync();
_logger.LogInformation("User logged out.");
if (returnUrl != null)
{
return LocalRedirect(returnUrl);
}
else
{
return RedirectToPage();
}
}
}
但是如果当用户按下 "Log out" 时用户会话 cookie 已过期,我会收到以下描述性错误消息:
HTTP ERROR 400
在 Logout.cshtml.cs 中任意位置设置的任何断点都不会命中。
发生了什么事?
if the user session cookie has expired when the user presses "Log out", I get this descriptive error message:
HTTP ERROR 400
Any breakpoints set anywhere in Logout.cshtml.cs is never hit.
据我们所知,Razor Pages 会自动受到 XSRF/CSRF 的保护。而客户端用户发送给服务器的防伪令牌(与当前用户的身份相关联)如果当前用户的身份验证过期会导致验证失败,从而导致上述错误。
要修复上述错误,您可以将 IgnoreAntiforgeryToken 属性应用于 LogoutModel class,如下所示。
[AllowAnonymous]
[IgnoreAntiforgeryToken]
public class LogoutModel : PageModel
{
您可以从以下文档中获取有关“防止跨站请求伪造 (XSRF/CSRF) 攻击”的详细信息:
https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1