我知道(强烈怀疑)这是因为AntiRequestForgery令牌无效。
我正在使用Fiddler发出两个请求。第一个返回具有以下形式的页面:
GET http://localhost:5000/ HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: en-GB,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
Accept-Encoding: gzip, deflate
Host: localhost:5000
Connection: Keep-Alive
Cookie: Webstorm-c18bf75a=81231d9f-edfd-4dbe-bb5a-f6a38d7df3c8; Webstorm-e6130ebb=b043c250-7e3b-44e1-ae53-2a1fd1e938ad; ai_user=a5B0s|2018-04-18T10:45:08.497Z; Webstorm-4df43b9a=25c25d80-7f4a-4ecf-8b74-a84698ccdfbe; .AspNetCore.Antiforgery.eVFzQSsi0_I=CfDJ8ERJiHn9THRElV--1wHd1Ro9Jv2DKwgMTQr1VCL4I-TphhEyTEiHsVS0z8K-Jyz_6VMNQETIEk3Yi5czv3rgMAwzmG76UrsB078j5oPJ8m6esxBQ8zLH9OEpeXqMDu570wRLkCSEQPyTIakVibTOmEM
HTTP/1.1 200 OK
Date: Sun, 25 Nov 2018 14:44:15 GMT
Content-Type: text/html; charset=utf-8
Server: Kestrel
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 697
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width" />
<title>Index</title>
</head>
<body>
<article>
<section>
<h1>Index</h1>
</section>
<section>
<form method="post" action="/Echo">
<p><label for="message">Enter message: </label><input type="text" name="message" id="message"/></p>
<p><input type="submit" value="Submit"/></p>
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8ERJiHn9THRElV--1wHd1Rp9WyK4QCn6-wcGhXPDZHOFgkcjhJEBGrYgrsoDN3ETiqDId6aMvaHxmtunVp8ioxWYWAMqVqp3HU4ErpY7_lUzw1monlv7AMPY_Q2mzcP1YijG-86DgSeJXaXnpCWNl4c" /></form>
</section>
</article>
</body>
</html>
我可以看到嵌入式令牌,我想以JSON而不是url编码的形式发送帖子。我要发送的第二个请求是:
POST http://localhost:5000/Echo HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: http://localhost:5000/
Accept-Language: en-GB,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
Content-Type: application/json
Accept-Encoding: gzip, deflate
Content-Length: 229
Host: localhost:5000
Connection: Keep-Alive
Pragma: no-cache
Cookie: Webstorm-c18bf75a=81231d9f-edfd-4dbe-bb5a-f6a38d7df3c8; Webstorm-e6130ebb=b043c250-7e3b-44e1-ae53-2a1fd1e938ad; ai_user=a5B0s|2018-04-18T10:45:08.497Z; Webstorm-4df43b9a=25c25d80-7f4a-4ecf-8b74-a84698ccdfbe; .AspNetCore.Antiforgery.eVFzQSsi0_I=CfDJ8ERJiHn9THRElV--1wHd1Ro9Jv2DKwgMTQr1VCL4I-TphhEyTEiHsVS0z8K-Jyz_6VMNQETIEk3Yi5czv3rgMAwzmG76UrsB078j5oPJ8m6esxBQ8zLH9OEpeXqMDu570wRLkCSEQPyTIakVibTOmEM
{
"message": "Hello+World",
"__RequestVerificationToken": "CfDJ8ERJiHn9THRElV--1wHd1Rp9WyK4QCn6-wcGhXPDZHOFgkcjhJEBGrYgrsoDN3ETiqDId6aMvaHxmtunVp8ioxWYWAMqVqp3HU4ErpY7_lUzw1monlv7AMPY_Q2mzcP1YijG-86DgSeJXaXnpCWNl4c"
}
这将返回400:
HTTP/1.1 400 Bad Request
Date: Sun, 25 Nov 2018 14:45:12 GMT
Server: Kestrel
Content-Length: 0
发布JSON时应如何传递令牌?
答案 0 :(得分:0)
从字面上看,答案是正确的。 tokan应该作为标题传递:
__RequestVerificationToken: CfDJ8ERJiHn9THRElV--1wHd1RqrINvuOTauZLAAg86eE91T6PHlKf21JOJVGA1TdMoksEVSlE-UWkOon2A0x1RSOqy0gQ_uSZxwQiBy8YArAowajUR1uJo3B4XAWl3abaToa8Gp8K4SPJ1hmSKjXAwzZvk