public async Task <IActionResult> Login([FromServices] IAntiforgery antiforgery, string name, string password, string returnUrl) { HttpContext.Response.Cookies.Append("CSRF-TOKEN", antiforgery.GetTokens(HttpContext).RequestToken, new Microsoft.AspNetCore.Http.CookieOptions { HttpOnly = false }); var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);//一定要声明AuthenticationScheme identity.AddClaim(new Claim("Name", "小王")); await this.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity)); if (string.IsNullOrEmpty(returnUrl)) { return(Content("登录成功")); } try { // 1. 使用LocalRedirect,只能跳转到本地页面,如果是跳转到外部页面,则会抛出异常。为了更友好,我们捕获异常,并跳转到我们自己的首页 //return LocalRedirect(returnUrl); // 2. 当我们需要跳转自己的外部时,我们可以校验url合法性,再决定是否可以跳转 var uri = new Uri(returnUrl); return(Redirect(returnUrl)); } catch { return(Redirect("/")); } }
public AntiForgeryDataModel GetAntiForgeryData() { AntiForgeryDataModel data = new AntiForgeryDataModel { AntiForgeryHeader = "", AntiForgeryToken = "" }; try { var tokens = _antiforgery.GetTokens(Request.HttpContext); data.AntiForgeryHeader = tokens.HeaderName; data.AntiForgeryToken = tokens.RequestToken; if (!string.IsNullOrEmpty(tokens.CookieToken)) { Response.Cookies.Append("CSRF-TOKEN", tokens.CookieToken); } Response.Headers.Add("Cache-control", "no-cache"); Response.Headers.Add("X-Frame-Options", "SAMEORIGIN"); Response.Headers.Add("Pragma", "no-cache"); return(data); } catch (Exception ex) { _logger.LogError(ex, $"{nameof(GetAntiForgeryData)} => FAIL"); } return(data); }
public async Task <IActionResult> Login([FromServices] IAntiforgery antiforgery, string name, string password, string returnUrl) { HttpContext.Response.Cookies.Append("CSRF-TOKEN", antiforgery.GetTokens(HttpContext).RequestToken, new Microsoft.AspNetCore.Http.CookieOptions { HttpOnly = false }); var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);//一定要声明AuthenticationScheme identity.AddClaim(new Claim("Name", "小王")); await this.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity)); if (string.IsNullOrEmpty(returnUrl)) { return(Content("登录成功")); } try { var uri = new Uri(returnUrl); ///uri.Host return(Redirect(returnUrl)); } catch { return(Redirect("/")); } //return Redirect(returnUrl); }
public void OnGet() { var token = _antiForgeryService.GetTokens(HttpContext).RequestToken; HttpContext.Response.Cookies.Append("XSRF-TOKEN", token, new CookieOptions { HttpOnly = false }); }
public IActionResult GetToken() { var token = _antiForgeryService.GetTokens(HttpContext).RequestToken; HttpContext.Response.Cookies.Append("XSRF-TOKEN", token, new CookieOptions { HttpOnly = false }); return(new StatusCodeResult(StatusCodes.Status200OK)); }
public IActionResult Index() { if (User.Identity.IsAuthenticated) { ViewData["user"] = JsonHelper.Serialize(new { userName = User.Identity.Name, userType = User.GetUserRole() }); ViewData["xpt"] = XsrfToXpt(_antiforgery.GetTokens(HttpContext)); } return(View()); }
public async Task Invoke(HttpContext context) { if (_scriptOptions.AllowWhen != null && !_scriptOptions.AllowWhen(context, _serviceProvider)) { context.Response.StatusCode = (int)HttpStatusCode.Forbidden; return; } if (context.Request.Method != HttpMethods.Get) { context.Response.StatusCode = (int)HttpStatusCode.MethodNotAllowed; return; } var tokenSet = _antiforgery.GetTokens(context); if (!string.IsNullOrEmpty(tokenSet.CookieToken)) { var cookieOp = _antiforgeryOptions.Value.Cookie.Build(context); context.Response.Cookies.Append(_antiforgeryOptions.Value.Cookie.Name, tokenSet.CookieToken, cookieOp); } context.Response.ContentType = "application/javascript; charset=utf-8"; context.Response.Headers["Cache-control"] = "no-store"; context.Response.Headers["Pragma"] = "no-cache"; // writes the hidden token field if on a page with same origin as script var bodyScript = $@"(function appendToken(){{ if(window.location.origin==='{GetOrigin(context.Request)}'){{ if(document.body){{ var input = document.createElement('input') input.setAttribute('type', 'hidden') input.setAttribute('name', '{tokenSet.FormFieldName}') input.setAttribute('value', '{tokenSet.RequestToken}') document.body.appendChild(input) }}else{{window.requestAnimationFrame(appendToken)}} }}}})()"; await context.Response.WriteAsync(bodyScript, Encoding.UTF8); }
public async Task <IActionResult> Index() { if (User.Identity.IsAuthenticated) { var user = await _userManager.GetUserAsync(User); if (user != null) { var roles = await _userManager.GetRolesAsync(user); ViewData["User"] = JsonConvert.SerializeObject(new { user.UserName, UserRole = roles.FirstOrDefault() }); ViewData["xpt"] = XsrfToXpt(_xsrf.GetTokens(HttpContext)); } } ViewData["Mobile"] = Utils.IsMobileBrowser(Request.Headers["User-Agent"].ToString()); return(View()); }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env, IHangfireScheduler hangfire, IAntiforgery antiforgery) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } else { app.UseExceptionHandler("/Home/Error"); } app.UseStaticFiles(); app.UseCookiePolicy(); app.UseHangfireServer(); app.UseAuthentication(); env.ConfigureNLog("NLog.config"); var arrOrigins = Configuration.GetSection("CORSUrls"); var arrCors = arrOrigins.Get <List <string> >(); app.UseCors(options => { options.AllowCredentials(); options.AllowAnyHeader(); options.AllowAnyMethod(); options.WithOrigins(arrCors.ToArray()); }); app.UseStatusCodePages(async context => { var response = context.HttpContext.Response; if (response.StatusCode == (int)HttpStatusCode.Unauthorized && context.HttpContext.Request.ContentType != "application/json") { response.Redirect("/login"); } }); app.UseHangfireDashboard("/hangfire", new DashboardOptions { Authorization = new[] { new HangfireAuth() }, AppPath = "/home" }); hangfire.Register(); app.Use(next => context => { var tokens = antiforgery.GetTokens(context); if (tokens.CookieToken != null) { context.Response.Cookies.Append("X-CSRF-TOKEN", tokens.CookieToken); } context.Response.Cookies.Append(tokens.HeaderName, tokens.RequestToken); return(next(context)); }); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Login}/{action=Index}/{id?}"); routes.MapRoute( name: "areas", template: "{area:exists}/{controller=Home}/{action=Index}/{id?}/{id1?}/{id2?}" ); }); }
public IActionResult GetAntiForgeryToken() { var tokenSet = antiForgery.GetTokens(HttpContext); return(Ok(new { requestToken = tokenSet.RequestToken, header = tokenSet.HeaderName, cookieToken = tokenSet.CookieToken })); }