为了防止CSRF攻击,新版本的框架加强做了相关处理
PageModel上加入[ValidateAntiForgeryToken]
[ValidateAntiForgeryToken]
public class LoginModel : PageModel
Html里生成token
<el-form style="max-width:600px; margin:20px auto;" method="post">
@Html.AntiForgeryToken()
全局设置Ajax提交token
$.ajaxSetup({
beforeSend: function (xhr) {
xhr.setRequestHeader("RequestVerificationToken", $('input:hidden[name="__RequestVerificationToken"]').val());
}
})
禁用上述设置
(有时候这种安全性是不必须的,比如不是在页面里发起请求,需要采用其它安全机制)
//在 public void ConfigureServices(IServiceCollection services) 方法里:
services.AddMvc()
.AddRazorPagesOptions(o => { o.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute()); })
.InitializeTagHelper<FormTagHelper>((helper, context) => helper.Antiforgery = false)
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);