响应中不存在 RequestVerificationToken cookie
我的 ASP.NET MVC 应用程序通过使用 ValidateAntiForgeryToken 属性并调用 Html.AntiForgeryToken 以使用令牌值写入隐藏输入元素并将令牌放入 cookie 来防止 CSRF 攻击。
我的异常日志报告 HttpAntiForgeryException 的发生,这些异常看起来像是由有效请求触发的(推荐人看起来正确)。导致异常的响应还在表单字段中包含 __RequestValidationToken 以及令牌值。但是,请求中缺少必要的 cookie,导致验证失败并引发异常。
我正在尝试思考为什么这个 cookie 丢失了,并提出了以下可能的原因:
- Cookies 集合已满 领域。 - 如果是这样的话 在这里我希望看到 20/50 饼干 在每个请求中(顺便说一句,所有 用户代理是 IE7 和 IE8) 和 不知何故,cookie 被丢弃了。 我看到 3 到 23 块饼干 在各种事件中 异常
- cookie 数据限制已过 达到了。 - 这并没有发生。经过 查看日志我可以看到 cookie 集合很小。
- 正在发回响应 在添加 cookie 之前。 - 不确定这个。手动 在头部调用 Reponse.Flush 结果出现异常,说明 cookie 集合无法修改 回复发送后。
- ?
绝望之下,我向 SO 的工作人员求助,询问导致 cookie 丢失的任何其他可能原因,以便我可以调查。
My ASP.NET MVC application prevents CSRF attacks by using the ValidateAntiForgeryToken attribute and calling Html.AntiForgeryToken to write a hidden input element with the token value, and also place the token in the cookie.
My exception log is reporting occurences of HttpAntiForgeryException that look like they were triggered from valid Requests (the Referrer looks correct). The Response causing the exception also contains __RequestValidationToken in the Form field, with the token value. However, the necessary cookie is missing from the Request, causing the Validation to fail and exception to be thrown.
I'm trying to think of why this cookie is missing and have come up with the following possible reasons:
- Cookies collection is full for the
domain. - If this were the case
here I'd expect to see 20/50 cookies
in each request (BTW all the
User-Agents are IE7 and IE8) and
somehow the cookie is being dropped.
I'm seeing between 3 and 23 cookies
in various occurences of the
exception - Data limit of cookies has been
reached. - This isn't happening. By
looking at the logs I can see the
cookie collection is small. - The response is being sent back
before the cookie can be added. -
Not sure about this one. Manually
calling Reponse.Flush in the head
results in an Exception stating the
cookies collection can't be modified
after the repsonse has been sent. - ?
In desparation I turn to the people at SO and ask for any other possible causes of this missing cookie that I can investigate.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
根据 Josh 的回答(iFrame 中的跨域问题),我将这段代码放入控制器的 BeginExecute 方法中,以实现每次调用所需的行为。除了基本控制器之外,所有其他控制器都派生自该控制器,如果您的站点嵌入在 iFrame 中,您可以实现所有操作都将运行。
According to Josh's answer (crossdomain-issue within an iFrame), I placed the piece of code into the BeginExecute-method of my controller to achieve the desired behaviour for each call. In addition with a base-controller, every other controller is derived from, you can achieve that all your actions will run if your site is embedded within an iFrame.
我遇到了完全相同的问题。我的内容是通过跨域 iframe 呈现的。根据 Adam Young 的说法,除非您在标头中定义 P3P 策略,否则 IE 将自动阻止第三方 cookie。
我添加了代码,将 p3p 策略注入标头,然后从 iframe 中使用的每个操作中调用它。到目前为止,我们还没有看到这个错误出现。我希望这个解决方案对其他人有帮助。
我还定义了一个机器密钥,尽管我不确定这是必要的。
I was having the exact same issue. My content was being presented through a cross domain iframe. According to Adam Young, IE will automatically block third party cookies unless you define a P3P policy in the header.
I added code to inject the p3p policy into the header and just call it from each action that I use in my iframe. So far, we have not seen this error turn up. I hope this solution helps someone else.
I also defined a machine key, although I'm not sure that was necessary.