C# 调用HttpContext.SignIn后错误用户的.NET Core Antiforgery.GetAndStoreTokens
我一直在使用.NET Core()的Antifforgery Cookie,登录后总是返回一个新视图:C# 调用HttpContext.SignIn后错误用户的.NET Core Antiforgery.GetAndStoreTokens,c#,.net-core,csrf,C#,.net Core,Csrf,我一直在使用.NET Core()的Antifforgery Cookie,登录后总是返回一个新视图: // - HomeController.cs [HttpPost, ValidateAntiForgeryToken] public async Task<IActionResult> Login() { ClaimsIdentity identity = new ClaimsIdentity("myAuthType"); ClaimsPrincipal princ
// - HomeController.cs
[HttpPost, ValidateAntiForgeryToken]
public async Task<IActionResult> Login()
{
ClaimsIdentity identity = new ClaimsIdentity("myAuthType");
ClaimsPrincipal principal = new ClaimsPrincipal(identity);
await HttpContext.SignInAsync("myScheme", principal,
new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(10),
AllowRefresh = true,
IsPersistent = true
});
return View();
}
但我想通过Ajax登录只是因为。所以我保留了所有内容,只更改了登录名:
[HttpPost("Api/User/Login"), ValidateAntiForgeryToken, Produces("application/json")]
public async Task<IActionResult> Login()
{
var userFromDB = DB.GetUser(1);
ClaimsIdentity identity = new ClaimsIdentity("myAuthType");
ClaimsPrincipal principal = new ClaimsPrincipal(identity);
await HttpContext.SignInAsync("myScheme", principal,
new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(10),
AllowRefresh = true,
IsPersistent = true
});
return Json(userFromDB);
}
.NET控制台中的错误消息是提供的反伪造令牌是针对不同的基于声明的用户的
。我尝试了这个建议,它似乎有点骇人听闻,它只适用于第二个请求,这意味着用户需要在每次用户更改(登录和注销)时看到第一个“坏请求”。
如何在用户登录后获取/更新该用户,以便XSRF令牌生成工作?或者,如果有更好的解决方案,我该如何解决
编辑:我现在正在这样处理它,以防有人有同样的问题:
public async Task<IActionResult> Login()
{
// - Login code omitted for brevity.
return RedirectToAction("LoginUnelegantWorkaround");
}
public IActionResult LoginUnelegantWorkaround()
{
var model = DB.FetchModelIWasGoingToReturnBefore();
return Json(model);
// - token is properly generated now since User has been updated, everything works
}
// - Same thing needed for Logout
公共异步任务登录()
{
//-为简洁起见,省略了登录代码。
返回重定向到操作(“LoginElegantWorkaround”);
}
public IActionResult LoginElegantWorkaround()
{
var model=DB.FetchModelIWasGoingToReturnBefore();
返回Json(模型);
//-现在正确生成令牌,因为用户已更新,一切正常
}
//-注销时需要相同的东西
// - Login()
var user = HttpContext.User;
await HttpContext.SignInAsync("Login", principal,
new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(10),
AllowRefresh = true,
IsPersistent = true
});
var loggedInUser = HttpContext.User;
bool truth = user.Equals(loggedInUser); // - true
// - meaning anything that relies on the new logged in User is invalid from here on.
public async Task<IActionResult> Login()
{
// - Login code omitted for brevity.
return RedirectToAction("LoginUnelegantWorkaround");
}
public IActionResult LoginUnelegantWorkaround()
{
var model = DB.FetchModelIWasGoingToReturnBefore();
return Json(model);
// - token is properly generated now since User has been updated, everything works
}
// - Same thing needed for Logout