Mvc3 Antiforgery token multi tabs

2019-02-03 17:48发布

站内问答 / 前端开发
822 2 4

we have a specific issue with the anti forgery token on the login page. If the user logs in with only one active window everything works great however if the user opens the login page in two different windows and logs in from window A (no issues will login), and the goes back to login from window B in this window the user will receive "A required anti-forgery token was not supplied or was invalid".

Is there any way around this other then to remove the anti forgery token from the view/controller action? We would prefer to have the token for additional security!

This is very similar to this question however this was asked for mvc2 MVC ValidateAntiForgeryToken multi-tabs problem

2条回答
冷血范
2楼-- · 2019-02-03 18:03

This behaviour in MVC3 or MVC4 is as designed however it is very user-unfriendly as explained above, however in production this issue needs to be solved gracefully and application needs to handle this odd situation. The solution for this problem is to create a filter that is applied to the login post that will verify if the user is logged in and take them to the correct page otherwise they will remain on the login page.

Below is the code for the filter attribute

/// <summary>
/// Handle Antiforgery token exception and redirect to customer area if the user is Authenticated
/// </summary>
public class RedirectOnError : HandleErrorAttribute
{
    /// <summary>
    /// Override the on exception method and check if the user is authenticated and redirect the user 
    /// to the customer service index otherwise continue with the base implamentation
    /// </summary>
    /// <param name="filterContext">Current Exception Context of the request</param>
    public override void OnException(ExceptionContext filterContext)
    {
        if (filterContext.Exception is HttpAntiForgeryException && filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            // Set response code back to normal
            filterContext.HttpContext.Response.StatusCode = 200;

            // Handle the exception
            filterContext.ExceptionHandled = true;

            UrlHelper urlH = new UrlHelper(filterContext.HttpContext.Request.RequestContext);

            // Create a new request context
            RequestContext rc = new RequestContext(filterContext.HttpContext, filterContext.RouteData);

            // Create a new return url
            string url = RouteTable.Routes.GetVirtualPath(rc, new RouteValueDictionary(new { Controller = "CustomerArea", action = "Index" })).VirtualPath;

            // Check if there is a request url
            if (filterContext.HttpContext.Request.Params["ReturnUrl"] != null && urlH.IsLocalUrl(filterContext.HttpContext.Request.Params["ReturnUrl"]))
            {
                url = filterContext.HttpContext.Request.Params["ReturnUrl"];
            }

            // Redirect the user back to the customer service index page
            filterContext.HttpContext.Response.Redirect(url, true);
        }
        else
        {
            // Continue to the base
            base.OnException(filterContext);
        }
    }
}

This is the example of usage

        [HttpPost]
        **[RedirectOnError]**
        [ValidateAntiForgeryToken]
        public ActionResult LogOn(LogOnViewModel model, UserSessionState session, string returnUrl)
        {
        .....
        }
查看更多
0人赞 添加讨论(0) 举报
时光不老,我们不散
3楼-- · 2019-02-03 18:23

Once you log in, all previous tokens are invalid. That's how it's supposed to work. Naz gets close to the right answer except, the token in the cookie doesn’t store the username. Only the token in the form does. It is precisely because of this issue: if a user logs in, all existing form tokens should be invalidated, but invalidating the cookie itself would be too problematic and user-unfriendly.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)