Sti*_*ian 3 c# asp.net-core asp.net-core-identity
在我的_LoginPartial.cshtml我有这个注销按钮:
<form id="logoutForm" class="form-inline" asp-area="Identity" asp-page="/Account/Logout" asp-route-returnUrl="@Url.Action("Index", "", new { area = "" })">
<button id="logout" type="submit">
Log out
</button>
</form>
然后,据我所知,Logout.cshtml.cs被称为:
public class LogoutModel : PageModel
{
private readonly SignInManager<ApplicationUser> _signInManager;
private readonly ILogger<LogoutModel> _logger;
public LogoutModel(SignInManager<ApplicationUser> signInManager, ILogger<LogoutModel> logger)
{
_signInManager = signInManager;
_logger = logger;
}
public void OnGet()
{
}
public async Task<IActionResult> OnPost(string returnUrl = null)
{
await _signInManager.SignOutAsync();
_logger.LogInformation("User logged out.");
if (returnUrl != null)
{
return LocalRedirect(returnUrl);
}
else
{
return RedirectToPage();
}
}
}
但是,如果当用户按下“注销”时用户会话 cookie 已过期,我会收到此描述性错误消息:
HTTP 错误 400
在任何地方设置的任何断点Logout.cshtml.cs都不会被击中。
怎么了?
if the user session cookie has expired when the user presses "Log out", I get this descriptive error message:
HTTP ERROR 400
Any breakpoints set anywhere in Logout.cshtml.cs is never hit.
As we know, Razor Pages are protected from XSRF/CSRF automatically. And the antiforgery token (associated with the current user's identity) that client user sent to server would cause verification fail if current user's authentication expired, which cause above error.
To fix above error, you can apply IgnoreAntiforgeryToken Attribute to LogoutModel class, like below.
[AllowAnonymous]
[IgnoreAntiforgeryToken]
public class LogoutModel : PageModel
{
You can get detailed information about "Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks" from following doc:
https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1
| 归档时间: |
|
| 查看次数: |
663 次 |
| 最近记录: |