ASP.NET MVC 3 为托管在一台本地服务器上的多门户应用程序提供防伪造保护
我有2个网站,实际上它们是相同的。目的是其中一个供互联网用户使用,第二个供本地使用。 现在它们托管在我的本地主机上的同一 IIS 服务器上。 当我打开这两个网站并尝试获取标有 [ValidateAntiForgeryToken] 的操作结果时,我遇到一个问题,在我的 cookie 中,我有本地主机站点的 cookie,并且有一个名为“RequestVerificationToken_Lw”的 cookie ”这是防伪保护密钥。 问题在于两个站点都使用相同的 cookie 来存储此密钥。因此,如果在一个网站上执行某项操作,当我尝试在另一个网站上执行某项操作时,我会收到防伪错误。
如何更改 cookie 域或任何其他解决方案来分割 cookie?
谢谢你!
I have 2 websites, actually they are the same. The purpose is in that one of them is for internet users and the second one is for local use.
Now they are hosted on the same IIS server on my localhost machine.
When I open this two websites and trying to get action result which is marked with [ValidateAntiForgeryToken] I have an issue that in my cookies i have cookies for my localhost site and there is a cookie with name "RequestVerificationToken_Lw" which is anti-forgery protection key.
And the problem is in that both sites are using the same cookie to store this key. And so if did smth on one web site I get anti-forgery error when I'm trying to do smth on the other.
How can I change cookie domain or any other solutions to split cookies?
Thank You!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好吧,让我们看看 ValidateAntiforgeryTokenAttribute 做了什么(Reflector/ILSpy 是你的朋友):
public void OnAuthorization(AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException("filterContext"); } string antiForgeryTokenName = AntiForgeryData.GetAntiForgeryTokenName(null); string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath); HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies[antiForgeryTokenName2]; if (httpCookie == null || string.IsNullOrEmpty(httpCookie.Value)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } AntiForgeryData antiForgeryData = this.Serializer.Deserialize(httpCookie.Value); string text = filterContext.HttpContext.Request.Form[antiForgeryTokenName]; if (string.IsNullOrEmpty(text)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } AntiForgeryData antiForgeryData2 = this.Serializer.Deserialize(text); if (!string.Equals(antiForgeryData.Value, antiForgeryData2.Value, StringComparison.Ordinal)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } string username = AntiForgeryData.GetUsername(filterContext.HttpContext.User); if (!string.Equals(antiForgeryData2.Username, username, StringComparison.OrdinalIgnoreCase)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } if (!this.ValidateFormToken(antiForgeryData2)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } }好的,很明显,令牌的 cookie 名称是根据应用程序路径创建的:
string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath); HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies[antiForgeryTokenName2];因此,您创建自己的过滤器,只需复制粘贴此代码,并更改它以尊重端口(或您区分应用程序的任何内容):
string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath + filterContext.HttpContext.Request.Url.Port); HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies[antiForgeryTokenName2];这样 cookie 名称(“RequestVerificationToken_Lw”)也会因端口而异。
当然,我们也不能忘记在创建令牌时更改此 cookie 名称。 ,您需要在这里复制粘贴“重新实现”两件事 - 首先是 AntiForgeryToken 扩展方法来调用您自己的 AntiForgeryWorker,然后是 AntiForgeryWorker 本身 - 只需重写方法 GetAntiForgeryTokenAndSetCookie ,它与之前的内容相同:
不幸的是 ,这看起来一团糟,而且绝对不是一个 DRY 解决方案,但如果你真的想要这个,你可以在几分钟内完成。只需使用反射器和复制粘贴:)
Well, lets see what the ValidateAntiforgeryTokenAttribute does (Reflector/ILSpy is your friend) :
public void OnAuthorization(AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException("filterContext"); } string antiForgeryTokenName = AntiForgeryData.GetAntiForgeryTokenName(null); string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath); HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies[antiForgeryTokenName2]; if (httpCookie == null || string.IsNullOrEmpty(httpCookie.Value)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } AntiForgeryData antiForgeryData = this.Serializer.Deserialize(httpCookie.Value); string text = filterContext.HttpContext.Request.Form[antiForgeryTokenName]; if (string.IsNullOrEmpty(text)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } AntiForgeryData antiForgeryData2 = this.Serializer.Deserialize(text); if (!string.Equals(antiForgeryData.Value, antiForgeryData2.Value, StringComparison.Ordinal)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } string username = AntiForgeryData.GetUsername(filterContext.HttpContext.User); if (!string.Equals(antiForgeryData2.Username, username, StringComparison.OrdinalIgnoreCase)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } if (!this.ValidateFormToken(antiForgeryData2)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } }Okay, it is obvious, that the cookie name for the token is made from application path:
string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath); HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies[antiForgeryTokenName2];So, you create your own filter, just copy-paste this code, and change that to respect also port (or whatever by what you distinguish your applications):
string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath + filterContext.HttpContext.Request.Url.Port); HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies[antiForgeryTokenName2];This way the cookie name ("RequestVerificationToken_Lw") will vary by port too.
And of course we cant forget to change this cookie name while creating the token too. Unfortunately, you will need to copy-paste "re-implement" 2 things here - first the AntiForgeryToken extension method to call your own AntiForgeryWorker, and then the AntiForgeryWorker itself - just override the method GetAntiForgeryTokenAndSetCookie, it is the same stuff as before :
Well, it seems a mess, and its definitely not a DRY solution, but if you really really want this, you can have it done in few minutes. Just use reflector and copy-paste :)