开发者

Problem with Validate Anti Forgery

I have a problem regarding MVC Anti forgery token. When I do my authentication I 开发者_高级运维have pseudo code like this:

var user = userRepository.GetByEmail(email);
System.Threading.Thread.CurrentPrincipal = HttpContext.Current.User = user;

by doing so I'm able to get the current user in my code like this:

var user = HttpContext.Current.User as EntityUser;

This works fine until I add the [ValidateAntiForgeryToken] attribute to an action. When I add the attribute I get

A required anti-forgery token was not supplied or was invalid.

If I comment out this line:

System.Threading.Thread.CurrentPrincipal = HttpContext.Current.User = user;

The antiforgery validation works fine, but the I don't have my convenient way of getting my "EntityUser" from the HttpContext. Any ideas of how to work around this? Best regards Mikael


I don't think that those are related. When you add the [ValidateAntiForgeryToken] attribute to your controller action you also need to add the hidden field inside your form:

<%= Html.AntiForgeryToken() %>

If you are submitting it through AJAX you always need to send this token along the request.


Actually AntiForgeryToken uses HttpContextBase.User in validation. See AntiForgeryWorker.Validate

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜