我正在考虑更改 ASP.NET Core 中默认防伪 cookie 的名称.
I'm thinking about changing name of the default antiforgery cookie in ASP.NET Core.
我之所以要更改 cookie 名称是为了匿名化 cookie,在我看来,最终用户没有理由能够确定该 cookie 的责任.
The reason why I would like to change the cookie name is to anonymize the cookie, in my opinion there is no reason why end users should be able to determine the responsibility of this cookie.
Microsoft.AspNetCore.Antiforgery.AntiforgeryOptions.CookieName
您可以在 Startup.ConfigureServices
中设置不同的名称,如下所示:
You can set a different name in your Startup.ConfigureServices
as in:
services.AddAntiforgery(opts => opts.CookieName = "MyAntiforgeryCookie");
对于 .Net Core 2.0.0 或更高版本会有更改:
参考:https://docs.microsoft.com/en-us/dotnet/api/Microsoft.AspNetCore.Antiforgery.AntiforgeryOptions?view=aspnetcore-2.0
为此使用以下内容:
services.AddAntiforgery(opts => opts.Cookie.Name = "MyAntiforgeryCookie");
默认情况下,AddMvc()
内部调用AddAntiforgery()
,这意味着您将获得默认的cookie、标题和表单名称.如果您需要/想要使用不同的名称,您可以通过如上所述手动调用 AddAntiforgery 来实现.
By default AddMvc()
internally calls AddAntiforgery()
, which means you get the default cookie, header and form names. If you need to/want to use different names, you can do so by manually calling AddAntiforgery as above.
如果您更改 cookie 名称,应该不会对您的应用程序产生任何影响(除非您自己添加了手动使用该 cookie 的代码).您可能还想更改标题/表单名称,例如官方 Antiforgery repo 有一个示例,它使用 Angular 并将标头更改为标准 Angular XSRF 令牌标头.
There should be no implications for your application if you change the cookie name (unless you added code yourself that manually used that cookie). You might also want to change the header/form name, for example the offical Antiforgery repo has an example that uses Angular and changes the header as the standard angular XSRF token header.
为了使用它,请将 [ValidateAntiForgeryToken]
添加到 GET 请求以外的控制器操作中.
In order to use it, add the [ValidateAntiForgeryToken]
to controller actions other than GET requests.
只要您使用 asp 表单标签助手,您就不必对标准 html 表单做任何其他事情,请参阅 这个问题.
You have to do nothing else for standard html forms as long as you use the asp form tag helpers, see this question.
如果您使用 ajax 请求,那么您将需要在您的请求中包含一个标头或一个包含生成令牌的字段.你基本上需要:
If you use ajax requests, then you will need to include either a header or a field within your request that includes the generated token. You basically need to:
IAntiforgery
var tokenSet = antiforgery.GetAndStoreTokens(httpContext);
使其可用于您的 js 代码,以便它知道值 tokenSet.RequestToken
被包含为名称为 tokenSet.FormFieldName
的字段或每个 ajax 请求中名称为 tokenSet.HeaderName
的标头.
IAntiforgery
var tokenSet = antiforgery.GetAndStoreTokens(httpContext);
Make it available to your js code so it knows about the value tokenSet.RequestToken
to be included as either a field with name tokenSet.FormFieldName
or a header with name tokenSet.HeaderName
within each ajax request.
目标是让 POST/PUT/DELETE/PATCH 请求包含 2 个内容:
The aim is for POST/PUT/DELETE/PATCH requests to include 2 things:
所以防伪中间件可以验证没有 XSRF.
So the antiforgery middleware can validate there was no XSRF.
关于 cookie 名称/域的更新
合理的默认设置是每个应用程序都有自己的 cookie.您通常使用默认方法得到它,因为 cookie 上没有专门设置域,因此 cookie 从请求中获取域.这意味着不同的应用程序使用不同的 cookie,除非应用程序托管在同一个域中.
The sensible default is for each application to have its own cookie. You mostly get that with the default approach as no domain is specifically set on the cookie, so the cookie takes the domain from the request. That would mean different cookies for different applications unless the appliacations are hosted with the same domain.
您可能只想在特殊情况下共享 cookie,例如,如果您有 2 个应用程序,其中应用程序 A 中的一个表单发布到应用程序 B.在这些情况下,请确保您使用的域/子域与这两个应用程序以及两者都匹配使用相同的 cookie 名称.
You might only want to share the cookie in special cases, for example if you have 2 applications where a form in app A posts to app B. In those cases make sure you use a domain/subdomain that matches both applications and both use the same cookiea name.
这篇关于在 ASP.NET Core 中使用防伪 cookie,但使用非默认 CookieName的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!