一个可爱的属性......
public class GlobalAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext filterContext)
{
var request = filterContext.HttpContext.Request;
if (request.HttpMethod == WebRequestMethods.Http.Post)
{
var token = request.Headers["__RequestVerificationToken"];
if (string.IsNullOrEmpty(token))
{
AntiForgery.Validate();
}
else
{
var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];
var cookieValue = antiForgeryCookie == null
? null
: antiForgeryCookie.Value;
AntiForgery.Validate(cookieValue, token);
}
}
}
}
Angular $ http post ...
$http.post('', this.data, {
headers: {
'__RequestVerificationToken':
$('input[name="__RequestVerificationToken"]').val()
}
}).success(function (data, status, headers) {
console.log(data);
});
然后在HTML ..
@Html.AntiForgeryToken()
浏览器中的cookie值与预期值一样,是隐藏字段的值,但它们不会验证。
为什么不呢?