ValidateAntiForgeryToken AngularJS。 X-XSRF-TOKEN标头和XSRF-TOKEN Cookie设置但得到400

时间:2019-12-05 17:36:08

标签: angularjs asp.net-core-2.0 csrf

任何人都可以帮助我发现我在做什么错,或者提出一些方法来帮助我确定正在发生的事情?

我正在尝试使用.net core 2.2和angular 1.x来实现防伪

我已按照https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.2

的建议进行操作

我正在将Antiforgery添加到Startup.ConfigureServices 

public void ConfigureServices(IServiceCollection services)
    {
        services.AddAntiforgery(options => 
        { 
            options.HeaderName = "X-XSRF-TOKEN";
        });
...

并在“配置”中设置cookie 

public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery)
{
    app.Use(next => context =>
    {
        if (
            string.Equals(context.Request.Path.Value, "/", StringComparison.OrdinalIgnoreCase) ||
            string.Equals(context.Request.Path.Value, "/index.html", StringComparison.OrdinalIgnoreCase))
        {
            // We can send the request token as a JavaScript-readable cookie, and Angular will use it by default.
            var tokens = antiforgery.GetAndStoreTokens(context);
            context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken,
                new CookieOptions() { HttpOnly = false });
        }

        return next(context);
    });

我正在装饰控制器

namespace myApp.Controllers
{
    [Authorize]
    [Route("api/[controller]")]
    [AutoValidateAntiforgeryToken]
    public class MyController : BaseController {
...

对api的调用返回了400(错误请求)

查看请求,可以看到设置了Header和cookie值:

POST /api/workorder/Comments HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 98
Accept: application/json, text/plain, */*
Origin: https://localhost
X-XSRF-TOKEN: CfDJ8BCa8m6CvM5GparPYbgIX8FXQjjHjRAiGd9e9COKtDhDUbgE7_X9qgikbPsIyHJeRjuw2y-qHEqTn5YESmw0Gj6ZVf9xXF-TUf_ditqyTuBRpeXr_JTH7Uk18oklltlyHkYwcQ2C3SpOIgqFYyT6to4
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Content-type: application/json
Referer: https://localhost/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: .AspNetCore.Session=CfDJ8BCa8m6CvM5GparPYbgIX8GcURsnOV6r5RkBhFxasg3GeHxhTASIKLGW%2FKbAEe0diH8oX7Vi1JaiKpjHs3k9PAiCsbVFIjF2bketdVNP7XuAk3d4NiCW7xB2bR4CQrubL9E4aoAVVB4tf%2FENL6xRjSWlTxpzywiZ4SHm9%2FLB%2FFd3; ADRUM=s=1575051518681&r=https%3A%2F%2Flocalhost%2F%3F159349506; XSRF-TOKEN=CfDJ8BCa8m6CvM5GparPYbgIX8FXQjjHjRAiGd9e9COKtDhDUbgE7_X9qgikbPsIyHJeRjuw2y-qHEqTn5YESmw0Gj6ZVf9xXF-TUf_ditqyTuBRpeXr_JTH7Uk18oklltlyHkYwcQ2C3SpOIgqFYyT6to4; .AspNetCore.Cookies=CfDJ8BCa8m6CvM5GparPYbgIX8GRcj_GMNMrBD5Dse6ZyfxXHUlF5Ldok61Gtm49-6bEjvFWX7prULqhzvnVSsq_bOoQedsDBIWB11BP2a13ea50u6-QT0ap9j9kTtwXzw-vuZBpiD_N-WIovswE2IQ4MfpG2xuALfjQfVt9g2M_Nv3fhuBJMJnWcs0Oy4XPdDKumJ-pPmB3pvhv6RjeqdKOk_mz8SmU0Pa7-02cXFj9WIq3SbPi1oZy0msgTVpN9HCzbdA2KJJM9oRgsJ_mIN-EqP96WqVYT7SqoQBp2rGk7V-SOxGVSncQ5-j6s6vcL2oURFfyI3Cqz89DNL_lmddf-iJg4uPBcL6qP_2e12k89NHuv0c3F9XIQ9cT8fAfdjUurSpb4PrxrYVs4eSMAyecgWSmvIinCdXdzJUTM4mGKXd4ySwvHCFnL0xgJpuIWH-V4EmP5qsMexfiFAD80xiu2387PrEqLgmA0XGJEM-TEikbr5JQPy-gmxZLTq2sgUofc67v_vzJurdqojgseNw_ZrWke0bn9dSxFakgD7URFcIBeaeIkzTL0mqc_43j3xWUgfi-mpIQtL4Zo4OF_aIh2YQncRWgS5uBZ6RAwN2PnJJy_UoiFU37Adw_5pjqW4kfNQ8pxr1n7MRiPe6yB45qAE6dyGFpvrJ8pWOF5h3mxEz1q7zd4Mo5tcZeBpUooGwkyM5gMx0aSW4wcAL8dYzgMwY-gYDcMD4HJ3-XciFoP6Q0iycpfecQAGbPMfjxNnS0XdAP2bXbYklPcx7D0PL0onMkreBqlliU8oDjCmub-avPLcOB_LMzVn6aUy8_bwv7Qmx4PMPHG27PSEGLuhFu8AdmxfTZOHHtD2OvbIgGbIpodNTTK6Zg7dM6oKBM8RCUa3QszhszBIFaPgz4aGCeCfCLc1-FKujMbOhM3KjgRqkQ_-0ahr2JGEtLNbjx-0QhiJNvR6dDqCAWRQGxbwe-fc1N1CerDa1I_OW2aE8uwgAniPlSu0gCixutaonF5td8MeKe4O4538iHEg4VbcGwr2i6FSP4uTYPfZ3pQ1TBLB1aBRtT2mzFuaNZoPWhpxdnQFDvB1R4riy--364vWD7SygiQx9aLdVQ-ds2JY-wi0Dx0VyOP0csZ1NvBnrqOj7IPQWLrclHf1S3qokFwSV6ynqEf0iWvuUgES1PfsvN2xP4ESKT5CJPvS-9iMem9mmBGaT7P6vFDaknDpFy640wKNLRREgVCK7ByVNEF7qGmaPTPu21H08WIDwtt4Rmut8zEQ1-DaAOe2BWUKzL8Y9OR_cgcMIfL6ZjergoeYowNucNx5hw1v-h67XpQpDETNiD-me8NKxhnuEgRLFo4_sZOjwPQM5qi4ROw0x2I_GxKV9M-MAd5Z_YlbVUxO3PLxYSg2GqGNl8UR4fFQZrTeKZUu-dM8gy05CK-ULfFkdQAc_afwRPGptqc-Q0PpfQE4Be4Q; .AspNetCore.Antiforgery.EsC6NJJg3sg=CfDJ8BCa8m6CvM5GparPYbgIX8GfDalyGMrWa5wwuF0ZcWmHkAfzmHxl2IK7BOBoQWvXmTcq_I7t0a0vCdVfd97--Sj1Dv8v53dg--LHPU9UKz3YBG0MgV_dfvtShz7_7TYbeAdDLtQqAStRwFdCOdSyick

我真的很感谢您的帮助-我花了整整一天的时间,这真让我发疯!

1 个答案:

答案 0 :(得分:1)

我的猜测是,您正在混合使用asp.net的核心机制和angular的方法来减轻csrf的预防! 忘记角度,并设置标题名称X-XSRF-TOKEN和cookie名称XSRF-REQUEST-TOKEN。 然后为拦截后的请求编写一个拦截器,以读取该cookie并发送该消息,并为您的请求编写一个附加标头,名称为X-XSRF-TOKEN

您可以在此处找到示例:

https://www.blinkingcaret.com/2018/11/29/asp-net-core-web-api-antiforgery/

相关问题
最新问题