5

我在我的Express v3应用程序上设置了 CSRF,我有这样的:

app.use(express.session({
  secret: "gdagadgagd",
  cookie: {
    httpOnly: true,
    path : '/',
    maxAge: 1000*60*60*24*30*12
  }
}));
app.use(express.csrf());
app.use(function(req, res, next) {
  res.locals.token = req.session._csrf;
  next();
})

在我的页面上,令牌显示为:

<input type="hidden" name="_csrf" value="E3afFADF3913-fadFK31">

但是当我尝试在我的网页上注册时,我收到了这个错误:

Error: Forbidden
    at Object.exports.error (/Users/account/Desktop/nodeapp/node_modules/express/node_modules/connect/lib/utils.js:55:13)
    at Object.handle (/Users/account/Desktop/nodeapp/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
    at next (/Users/account/Desktop/nodeapp/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at next (/Users/account/Desktop/nodeapp/node_modules/express/node_modules/connect/lib/middleware/session.js:313:9)
    at /Users/account/Desktop/nodeapp/node_modules/express/node_modules/connect/lib/middleware/session.js:337:9
    at /Users/account/Desktop/nodeapp/node_modules/express/node_modules/connect/lib/middleware/session/memory.js:50:9
    at process._tickCallback (node.js:415:13)

我使用 Jade 作为我的模板引擎,这就是我所拥有的:

input(type='hidden', name='_csrf', value=token)

我直接在 localhost:3000 访问网页,但我不确定为什么我被禁止注册帐户。谢谢!

4

1 回答 1

3

您应该使用bodyParser中间件,让服务器知道_csrf已通过。

app.use(express.bodyParser());之前插入app.use(express.csrf());

于 2013-04-21T12:09:47.943 回答