C# 调用HttpContext.SignIn后错误用户的.NET Core Antiforgery.GetAndStoreTokens_C#_.net Core_Csrf

C# 调用HttpContext.SignIn后错误用户的.NET Core Antiforgery.GetAndStoreTokens

c# .net-core

C# 调用HttpContext.SignIn后错误用户的.NET Core Antiforgery.GetAndStoreTokens,c#,.net-core,csrf,C#,.net Core,Csrf,我一直在使用.NET Core（）的Antifforgery Cookie，登录后总是返回一个新视图： // - HomeController.cs [HttpPost, ValidateAntiForgeryToken] public async Task<IActionResult> Login() { ClaimsIdentity identity = new ClaimsIdentity("myAuthType"); ClaimsPrincipal princ

我一直在使用.NET Core（）的Antifforgery Cookie，登录后总是返回一个新视图：

// - HomeController.cs
[HttpPost, ValidateAntiForgeryToken]
public async Task<IActionResult> Login()
{
    ClaimsIdentity identity = new ClaimsIdentity("myAuthType");
    ClaimsPrincipal principal = new ClaimsPrincipal(identity);

    await HttpContext.SignInAsync("myScheme", principal,
        new AuthenticationProperties
        {
            ExpiresUtc = DateTime.UtcNow.AddMinutes(10),
            AllowRefresh = true,
            IsPersistent = true
        });

    return View();
}

但我想通过Ajax登录只是因为。所以我保留了所有内容，只更改了登录名：

[HttpPost("Api/User/Login"), ValidateAntiForgeryToken, Produces("application/json")]
public async Task<IActionResult> Login()
{
    var userFromDB = DB.GetUser(1);

    ClaimsIdentity identity = new ClaimsIdentity("myAuthType");
    ClaimsPrincipal principal = new ClaimsPrincipal(identity);

    await HttpContext.SignInAsync("myScheme", principal,
        new AuthenticationProperties
        {
            ExpiresUtc = DateTime.UtcNow.AddMinutes(10),
            AllowRefresh = true,
            IsPersistent = true
        });

    return Json(userFromDB);
}

.NET控制台中的错误消息是

提供的反伪造令牌是针对不同的基于声明的用户的

。我尝试了这个建议，它似乎有点骇人听闻，它只适用于第二个请求，这意味着用户需要在每次用户更改（登录和注销）时看到第一个“坏请求”。如何在用户登录后获取/更新该用户，以便XSRF令牌生成工作？或者，如果有更好的解决方案，我该如何解决

编辑：我现在正在这样处理它，以防有人有同样的问题：

public async Task<IActionResult> Login()
{
    // - Login code omitted for brevity.
    return RedirectToAction("LoginUnelegantWorkaround");
}

public IActionResult LoginUnelegantWorkaround()
{
    var model = DB.FetchModelIWasGoingToReturnBefore();

    return Json(model);
    // - token is properly generated now since User has been updated, everything works
}

// - Same thing needed for Logout

公共异步任务登录（）
{
//-为简洁起见，省略了登录代码。
返回重定向到操作（“LoginElegantWorkaround”）；
}
public IActionResult LoginElegantWorkaround（）
{
var model=DB.FetchModelIWasGoingToReturnBefore（）；
返回Json（模型）；
//-现在正确生成令牌，因为用户已更新，一切正常
}
//-注销时需要相同的东西

// - Login()
var user = HttpContext.User;
await HttpContext.SignInAsync("Login", principal,
    new AuthenticationProperties
        {
            ExpiresUtc = DateTime.UtcNow.AddMinutes(10),
            AllowRefresh = true,
            IsPersistent = true
        });
var loggedInUser = HttpContext.User;

bool truth = user.Equals(loggedInUser); // - true
// - meaning anything that relies on the new logged in User is invalid from here on.

public async Task<IActionResult> Login()
{
    // - Login code omitted for brevity.
    return RedirectToAction("LoginUnelegantWorkaround");
}

public IActionResult LoginUnelegantWorkaround()
{
    var model = DB.FetchModelIWasGoingToReturnBefore();

    return Json(model);
    // - token is properly generated now since User has been updated, everything works
}

// - Same thing needed for Logout