MVC ValidateAntiForgeryToken multi-tabs problem

前端 未结 3 1260
我在风中等你
我在风中等你 2021-02-10 06:01

We\'d been getting \"A required anti-forgery token was not supplied or was invalid.\" errors, and on some further investigation, I\'ve managed to recreate the problem in its sim

3条回答
  •  清歌不尽
    2021-02-10 06:19

    Looking at the MVC 2 source code it looks like the AntiForgeryToken hidden field includes the User.Identity.Name serialized, if your signed in. In line 69 of the ValidateAntiForgeryTokenAttribute it seems to then check your token with the current User.Identity.Name.

        string currentUsername = AntiForgeryData.GetUsername(filterContext.HttpContext.User);
        if (!String.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase)) {
            // error: form token is not valid for this user
            // (don't care about cookie token)
            throw CreateValidationException();
        }
    

    Because in your other tab you are now signed in the code above invalidates the existing token which doesn't contain the User.Identity.Name.

    This could be fixed by adding a !string.IsNullOrEmpty(formToken.Username) around that check but I don't know if that will open up security issues plus it means having a custom MVC 2 Build.

提交回复
热议问题