背景
我有一个相对较新的ASP.NET Core 2站点 . 它只在一台服务器上运行(Windows Server 2012 R2,IIS 8.5),每上几天我上传更新时只会重启一次 . 大约每天一次,由于防伪系统的拒绝,用户的请求失败 . 这些是POST请求,并没有什么特别之处 . 我在POST请求中包含了防伪值,99%的时间,POST请求都有效 . 但是当它们没有时,stdout日志会说,“防伪令牌验证失败 . 防伪cookie令牌和请求令牌不匹配 . ”当我使用该确切语句执行Web搜索时,我得到零结果 . 所以我转向Stack Overflow . [这已不再适用,因为Web搜索现在会产生此Stack Overflow问题 . ]
错误
我已经在下面列出了stdout日志的相关部分 .
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 POST [domain redacted] application/x-www-form-urlencoded 234
info: Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.ValidateAntiforgeryTokenAuthorizationFilter[1]
Antiforgery token validation failed. The antiforgery cookie token and request token do not match.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery cookie token and request token do not match.
at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.<ValidateRequestAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.ValidateAntiforgeryTokenAuthorizationFilter.<OnAuthorizationAsync>d__3.MoveNext()
info: Microsoft.AspNetCore.Mvc.RazorPages.Internal.PageActionInvoker[3]
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.AutoValidateAntiforgeryTokenAuthorizationFilter'.
info: Microsoft.AspNetCore.Mvc.StatusCodeResult[1]
Executing HttpStatusCodeResult, setting HTTP status code 400
info: Microsoft.AspNetCore.Mvc.RazorPages.Internal.PageActionInvoker[2]
Executed action /Index in 2.6224ms
warn: Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery[1]
Antiforgery validation failed with message 'The antiforgery cookie token and request token do not match.'.
对于导致上述stdout输出的请求, IAntiforgery.IsRequestValidAsync 同意返回false . 请注意错误消息"The antiforgery cookie token and request token do not match."这是一个失败的POST请求和相关cookie的缩减示例 .
POST: __RequestVerificationToken= CfDJ8F9Fs4CqDFpLttT96eZw9WHjWfHO8Yawn35k4Yq3gDK5n1TDJDDiY5o86VQs1_qOVIYBydCizBU4knb7Jmq1-heGhwnMu2KmhUIiAd0xI7Sudv3GX-J0OI6wRfiPL4L1KRs2Pml8dbsDfwemewBqi18
Cookie: .AspNetCore.Antiforgery.ClRyCRmWApY=CfDJ8F9Fs4CqDFpLttT96eZw9WFtJht41WcNrmgshi2pFGwcxhr0_0hvINQc7Yl9Cbjhv-TiSNXeEctyKborLI49AcjHfWIgOmmKkbjOe7QMn8Z0WZtkQy5JcaBHKEGTu1p-La8JL8pZZqZy02Hrswpkh3I
在请求失败并出现400错误(使用一些错误处理中间件)后,我也已经捕获了几次这些数据:
AntiforgeryTokenSet tokens = antiforgery.GetTokens(context);
tokens.CookieToken: null
tokens.FormFieldName: "__RequestVerificationToken"
tokens.HeaderName: "RequestVerificationToken"
tokens.RequestToken: "CfDJ8F9Fs4CqDFpLttT96eZw9WH33jSw5mM8h7RpEd3vGISQTRkx1rfwm-L2lfkvXKMBc-riESmoTo_fnIjeBbRmOo5KuJHr09f8B75sQ9g_djIVeeaGwMw5KE6W1O2-7Vi03fCnwlTv8l-BWGst76Ln-ZQ"
所以这里有三个字符串:
POST String: "CfDJ8F9Fs4CqDFpLttT96eZw9WHjWfHO8Yawn35k4Yq3gDK5n1TDJDDiY5o86VQs1_qOVIYBydCizBU4knb7Jmq1-heGhwnMu2KmhUIiAd0xI7Sudv3GX-J0OI6wRfiPL4L1KRs2Pml8dbsDfwemewBqi18"
Cookie String: "CfDJ8F9Fs4CqDFpLttT96eZw9WFtJht41WcNrmgshi2pFGwcxhr0_0hvINQc7Yl9Cbjhv-TiSNXeEctyKborLI49AcjHfWIgOmmKkbjOe7QMn8Z0WZtkQy5JcaBHKEGTu1p-La8JL8pZZqZy02Hrswpkh3I"
antiforgery.GetTokens(context).RequestToken: "CfDJ8F9Fs4CqDFpLttT96eZw9WH33jSw5mM8h7RpEd3vGISQTRkx1rfwm-L2lfkvXKMBc-riESmoTo_fnIjeBbRmOo5KuJHr09f8B75sQ9g_djIVeeaGwMw5KE6W1O2-7Vi03fCnwlTv8l-BWGst76Ln-ZQ"
POST字符串和cookie字符串不匹配,但根据我的经验,即使ASP.NET Core认为合法的请求,他们也从不这样做 . 但奇怪的是,POST字符串和 tokens.RequestToken 也不匹配 . 我认为他们应该匹配,虽然我在请求生命周期中稍后捕获了 tokens.RequestTooken ,所以也许这与它有关 .
GitHub上的ASP.NET Core 2
我决定查看ASP.NET Core 2的源代码 . 我找到了这个文件,特别是第145行:
该行收到消息“防伪cookie令牌和请求令牌不匹配” . 从第134行的这个文件:
https://github.com/aspnet/Antiforgery/blob/dev/src/Microsoft.AspNetCore.Antiforgery/Resources.resx
所以我认为这就是信息的起源,但我仍然想知道为什么会发生这种情况 .
问题
有人请帮我弄清楚为什么这些防伪代币没有验证?用户的Web浏览器是否可能会破坏cookie或POST数据?有没有人有这方面的经验或任何建议?谢谢 .
1 回答
全局禁用过滤器似乎是关闭它的唯一方法 . 我得到@ svallis的代码来处理视觉修改:
https://github.com/aspnet/Mvc/issues/7012