angularjs – 标头和cookie中的CSRF令牌在请求中不匹配

所以这就是我如何解决我的问题(有点)：

(1)在每个请求(包括第一个请求)上,我从API返回一个名为“XSRF-TOKEN”的响应头中的cookie和一个与之关联的随机值.这是AngularJS在使用CSRF保护时默认查找的名称.

(2)收到该令牌后请求中发生的事情是,AngularJS使用该令牌的值在名为“XSRF-TOKEN”的请求头中发送cookie,并使用该令牌的值发送名为“X-XSRF-TOKEN”的头同样.

所以我的API处理随机化XSRF令牌,我的应用程序仍然是无状态的.我正在使用Web API,并使用全局过滤器来处理此XSRF令牌创建.下面是我的代码(在C#中).我不再在UI中处理任何代码(因为它似乎不需要)：

public class ValidateAntiForgeryToken : ActionFilterAttribute
{
    private const string XsrfCookieName = "XSRF-TOKEN";

    private const string XsrfHeaderName = "X-XSRF-TOKEN";

    private const string CsrfTokenSalt = "RANDOM SALT";


    public override void OnActionExecuting(HttpActionContext filterContext)
    {
        string requestMethod = filterContext.Request.Method.Method;

        Boolean isValid = true;

        if (requestMethod != "GET")
        {
            var headerToken = filterContext.Request.Headers.Where(x => x.Key.Equals(XsrfHeaderName,StringComparison.OrdinalIgnoreCase))
                .Select(x => x.Value).SelectMany(x => x).FirstOrDefault();

            var cookieToken = filterContext.Request.Headers.GetCookies().Select(x => x[XsrfCookieName]).FirstOrDefault();

            // check for missing cookie or header
            if (cookieToken == null || headerToken == null)
            {
                isValid = false;
            }

            // ensure that the cookie matches the header
            if (isValid && !String.Equals(headerToken,cookieToken.Value,StringComparison.OrdinalIgnoreCase))
            {
                isValid = false;
            }

            if (!isValid)
            {
                filterContext.Response = filterContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
                filterContext.Response.ReasonPhrase = "Unauthorized to make that request.";
                return;
            }
        }

        base.OnActionExecuting(filterContext);
    }


    public override void OnActionExecuted(HttpActionExecutedContext actionExecutedContext)
    {
        string textToHash = RandomStringGeneration();
        string cookieText = HashService.HashText(textToHash,CsrfTokenSalt);

        var cookie = new CookieHeaderValue(XsrfCookieName,HttpUtility.UrlEncode(cookieText));

        /* don't use this flag if you're not using HTTPS */
        cookie.Secure = true;      
        cookie.HttpOnly = false; // javascript needs to be able to get this in order to pass it back in the headers in the next request

        /* if you have different environments on the same domain (which I did in one application using this code) make sure you set the path to be ApplicationPath of the request. Case sensitivity does matter in Chrome and IE,so be wary of that. */
        cookie.Path = "/";

        actionExecutedContext.Response.Headers.AddCookies(new[] { cookie });

        base.OnActionExecuted(actionExecutedContext);
    }
}

这是我的HashService.HashText()代码：

public class HashService
{
    public static string HashText(string text,string salt)
    {
        SHA512Managed hashString = new SHA512Managed();

        byte[] textWithSaltBytes = Encoding.UTF8.GetBytes(string.Concat(text,salt));
        byte[] hashedBytes = hashString.ComputeHash(textWithSaltBytes);

        hashString.Clear();

        return Convert.ToBase64String(hashedBytes);
    }
}

希望这可以帮助未来的无状态应用程序.不幸的是,发回的令牌仅在cookie值和标头值中与其自身进行比较.这是我现在能够验证它的唯一方法(我认为这是非常安全的).我可能会为XSRF保护创建一个全新的表,并使用它来验证令牌确实是用户应该使用的令牌.这是我能够保持API无状态的唯一方法.

在阅读AngularJS的$http文档后,我偶然发现了这个解决方案,该文档规定：

Cross Site Request Forgery (XSRF) Protection: XSRF is a technique by
which an unauthorized site can gain your user’s private data. Angular
provides a mechanism to counter XSRF. When performing XHR requests,
the $http service reads a token from a cookie (by default,XSRF-TOKEN)
and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript
that runs on your domain could read the cookie,your server can be
assured that the XHR came from JavaScript running on your domain. The
header will not be set for cross-domain requests.

To take advantage of this,your server needs to set a token in a
JavaScript readable session cookie called XSRF-TOKEN on the first HTTP
GET request. On subsequent XHR requests the server can verify that the
cookie matches X-XSRF-TOKEN HTTP header,and therefore be sure that
only JavaScript running on your domain could have sent the request.
The token must be unique for each user and must be verifiable by the
server (to prevent the JavaScript from making up its own tokens). We
recommend that the token is a digest of your site’s authentication
cookie with a salt for added security.

The name of the headers can be specified using the xsrfHeaderName and xsrfCookieName properties of either $httpProvider.defaults at config-time,$http.defaults at run-time,or the per-request config object.