Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/javascript/424.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Javascript 如何使用XMLHTTPRequest处理CSRF令牌?_Javascript_Xmlhttprequest_Csrf - Fatal编程技术网
Fatal编程技术网
  • javascript/
  • Javascript 如何使用XMLHTTPRequest处理CSRF令牌?

Javascript 如何使用XMLHTTPRequest处理CSRF令牌?

javascript

Javascript 如何使用XMLHTTPRequest处理CSRF令牌?,javascript,xmlhttprequest,csrf,Javascript,Xmlhttprequest,Csrf,我使用的API受CSRF保护。所以我需要做一个get调用来获取CSRF令牌,然后将相同的令牌传递给do POST调用 var tryout = new XMLHttpRequest(); tryout.open("GET", "/api/1.0/csrf"); tryout.withCredentials = true; tryout.setRequestHeader("x-csrf-token", "fetch"); tryout.setRequestHeader("Accept",

我使用的API受CSRF保护。所以我需要做一个get调用来获取CSRF令牌,然后将相同的令牌传递给do POST调用

var tryout = new XMLHttpRequest();
tryout.open("GET", "/api/1.0/csrf");
tryout.withCredentials = true;
tryout.setRequestHeader("x-csrf-token", "fetch");    
tryout.setRequestHeader("Accept", "application/json");
tryout.setRequestHeader("Content-Type", "application/json; charset=utf-8");
tryout.onreadystatechange = function () {
    console.log(this);
    var csrfToken = this.getResponseHeader('x-csrf-token');
    if(tryout.readyState == 4){
        console.log(csrfToken);
        tryout.open('POST', '/api/1.0/create');
        tryout.setRequestHeader('x-csrf-token', this.getResponseHeader('x-csrf-token'));            
        tryout.onreadystatechange = function () {
            console.log("call 2");
            console.log(this.responseText);
        };
        tryout.send();
    }
};
tryout.send();
下面是我尝试的方式,但我总是得到CSRF令牌验证失败作为POST调用的响应

var tryout = new XMLHttpRequest();
tryout.open("GET", "/api/1.0/csrf");
tryout.withCredentials = true;
tryout.setRequestHeader("x-csrf-token", "fetch");    
tryout.setRequestHeader("Accept", "application/json");
tryout.setRequestHeader("Content-Type", "application/json; charset=utf-8");
tryout.onreadystatechange = function () {
    console.log(this);
    var csrfToken = this.getResponseHeader('x-csrf-token');
    if(tryout.readyState == 4){
        console.log(csrfToken);
        tryout.open('POST', '/api/1.0/create');
        tryout.setRequestHeader('x-csrf-token', this.getResponseHeader('x-csrf-token'));            
        tryout.onreadystatechange = function () {
            console.log("call 2");
            console.log(this.responseText);
        };
        tryout.send();
    }
};
tryout.send();
我怀疑可能是POST call正在启动新会话,因此CSRF对该会话无效

请指导我如何在同一会话中执行两个xhr调用?

“x-csrf-token”,“fetch”用于GET方法获取数据。然后您将获得csrf令牌值。只需复制它并将其添加到代码中,它可能会起作用。

我尝试使用XMLHTTPRequest对两个调用使用相同的xhr对象进行同步调用(获取csrf令牌和下一个http post调用并在标头中传递csrf令牌),它起作用了。下面是示例代码

var res = null;
var tryout = new XMLHttpRequest();  
tryout.open("GET", "/odata/1.0/service.svc", false);
tryout.withCredentials = true;
tryout.setRequestHeader("x-csrf-token", "fetch");    
tryout.setRequestHeader("Accept", "application/json");
tryout.setRequestHeader("Content-Type", "application/json; charset=utf-8");
tryout.send(null);

if(tryout.readyState === 4){
  var csrfToken = tryout.getResponseHeader('x-csrf-token');   

  tryout.open('POST', '/odata/1.0/service.svc/Clients', false);
  tryout.setRequestHeader('x-csrf-token', csrfToken);       
  tryout.setRequestHeader("Content-Type", "application/json; charset=utf-8");
  tryout.setRequestHeader("Accept", "application/json");

  tryout.send(JSON.stringify(obj));

  if(tryout.readyState === 4){
      res = JSON.parse(this.responseText);
  }
}
什么是obj?它是在任何地方定义的吗?是的,McJohnson,obj被定义了,它的请求体。不知何故,我错过了在这里复制代码片段的那个部分。