我在使用 ASP.Net MVC 中的 AntiForgeryToken 时遇到问题。如果我在我的网络服务器上执行 iisreset 并且用户继续他们的会话,他们会被退回到登录页面。不可怕,但是 AntiForgery 令牌爆炸了,唯一的办法就是把浏览器上的 cookie 炸掉。
使用版本 1 的 beta 版本时,它在为我读回 cookie 时经常出错,所以我过去常常在请求验证令牌之前对其进行清理,但在它发布时已修复。
现在我想我会回滚到修复测试版问题的代码,但我不禁认为我错过了一些东西。有没有更简单的解决方案,我应该放弃他们的助手并从头开始创建一个新的吗?我觉得很多问题在于它与旧的 ASP.Net 管道如此紧密地联系在一起,并试图将其混入做一些它并不是真正设计要做的事情。
我查看了 ASP.Net MVC 2 RC 的源代码,看起来代码没有太大变化,所以虽然我没有尝试过,但我认为那里没有任何答案。
这是异常堆栈跟踪的相关部分。
编辑:我刚刚意识到我没有提到这只是试图在 GET 请求中插入令牌。这不是在您启动 POST 时发生的验证。
System.Web.Mvc.HttpAntiForgeryException: A required anti-forgery token was not
supplied or was invalid.
---> System.Web.HttpException: Validation of viewstate MAC failed. If this
application is hosted by a Web Farm or cluster, ensure that <machineKey>
configuration specifies the same validationKey and validation algorithm.
AutoGenerate cannot be used in a cluster.
---> System.Web.UI.ViewStateException: Invalid viewstate.
Client IP: 127.0.0.1
Port: 4991
User-Agent: scrubbed
ViewState: scrubbed
Referer: blah
Path: /oursite/Account/Login
---> System.Security.Cryptography.CryptographicException: Padding is invalid and
cannot be removed.
at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo)
at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError)
at System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState)
at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString)
at System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState)
at System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken)
--- End of inner exception stack trace ---
at System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken)
at System.Web.Mvc.HtmlHelper.GetAntiForgeryTokenAndSetCookie(String salt, String domain, String path)
at System.Web.Mvc.HtmlHelper.AntiForgeryToken(String salt, String domain, String path)