ValidateAntiForgeryToken投擲錯誤

Question

我的控制器被引發錯誤

所需防僞表單字段「__RequestVerificationToken」不存在。

但是這正是我在做什麼

1. 與測試用戶進行登錄

VIEW

@using (Html.BeginForm(new { ReturnUrl = ViewBag.ReturnUrl })) 
{ 
     @Html.AntiForgeryToken() 
     @Html.ValidationSummary() 

     <fieldset> 
      <legend>Log in Form</legend> 
      <ol> 
       <li> 
        @Html.LabelFor(m => m.UserName) 
        @Html.TextBoxFor(m => m.UserName) 
       </li> 

       <li> 
        @Html.LabelFor(m => m.Password) 
        @Html.PasswordFor(m => m.Password) 
       </li> 

       <li> 
        @Html.LabelFor(m => m.RememberMe) 
        @Html.CheckBoxFor(m => m.RememberMe) 
       </li> 

控制器

[AllowAnonymous] 
     [HttpPost] 
     [ValidateAntiForgeryToken] 
     public ActionResult Login(LoginModel model, string returnUrl) 
     { 
      if (ModelState.IsValid) 
      { 
       if (Membership.ValidateUser(model.UserName, model.Password)) 
       {      
        FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); 

        return RedirectToCreateUserProfile(model, returnUrl); 
       } 
       else 
       { 
        ModelState.AddModelError("", "The user name or password provided is incorrect."); 
       } 

1. 一次驗證我正在重定向到主頁

2. 然後我上一個菜單選項單擊給我看用戶個人資料，我得到上述錯誤

佈局視圖（顯示更多的代碼需要但想要使JS出現問題）

<!DOCTYPE html> 
<html> 
    <head> 
     <title>@ViewBag.Title</title> 
     <link href="@Url.Content("~/Content/Site.css")" rel="stylesheet" type="text/css" /> 
     <link href="@Url.Content("~/Content/kendo/2013.2.918/kendo.common.min.css")" rel="stylesheet" type="text/css" /> 
     <link href="@Url.Content("~/Content/kendo/2013.2.918/kendo.dataviz.min.css")" rel="stylesheet" type="text/css" /> 
     <link href="@Url.Content("~/Content/kendo/2013.2.918/kendo.metro.min.css")" rel="stylesheet" type="text/css" /> 
     <link href="@Url.Content("~/Content/kendo/2013.2.918/kendo.dataviz.metro.min.css")" rel="stylesheet" type="text/css" /> 
     <script src="@Url.Content("~/Scripts/kendo/2013.2.918/jquery.min.js")"></script> 
     <script src="@Url.Content("~/Scripts/kendo/2013.2.918/kendo.all.min.js")"></script> 
     <script src="@Url.Content("~/Scripts/kendo/2013.2.918/kendo.aspnetmvc.min.js")"></script> 
     <script src="@Url.Content("~/Scripts/kendo.modernizr.custom.js")"></script> 
     <script type="text/javascript"> 

      var _gaq = _gaq || []; 
      var pluginUrl = 
      '//www.google-analytics.com/plugins/ga/inpage_linkid.js'; 
      _gaq.push(['_require', 'inpage_linkid', pluginUrl]); 
      _gaq.push(['_setAccount', 'UA-44529127-1']); 
      _gaq.push(['_trackPageview']); 

      (function() { 
       var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; 
       ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; 
       var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); 
      })(); 

</script> 

    </head> 
    <body> 
     <header> 
      <div class="content-wrapper"> 
       <div class="float-left"> 
        <p class="site-title">@Html.ActionLink("your logo here", "Index", "Home")</p> 
       </div> 
       <div class="float-right"> 
        <section id="login"> 
         @Html.Partial("_LoginPartial") 
        </section> 
        <nav> 
         <ul id="menu"> 
          <li>@Html.ActionLink("Home", "Index", "Home")</li> 
          <li>@Html.ActionLink("About", "About", "Home")</li> 
          <li>@Html.ActionLink("Contact", "Contact", "Home")</li> 
          @if (User.IsInRole("Admin")) 
          { 
           <li>@Html.ActionLink("API", "Index", "Help", new { area = "" }, null)</li>        
          } 
         </ul> 
        </nav>      
       </div> 
      </div> 
     </header> 
     <div id="body"> 
      @if (Request.IsAuthenticated) 
      { 
      <ul id="IndexHomeMenu"> 
       @if (User.IsInRole("Admin")) 
       { 
        <li> 
         Administration@*@Html.ActionLink("Administration", "Contact", "Home")*@ 
         <ul> 
          <li>@Html.ActionLink("Manage Roles", "Index", "AdminView")</li> 
          <li>@Html.ActionLink("Manage Users", "Contact", "Home")</li> 
          <li>@Html.ActionLink("Inactive Reasons", "Index", "InactiveReasonView")</li> 
         </ul> 
        </li> 
       } 
       <li> 
        My Information 
        <ul> 
         <li>@Html.ActionLink("Profile", "EditByName", "UserView", new { UserName = User.Identity.Name }, new { @class = "selected" })</li> 
         <li>@Html.ActionLink("Phone Numbers", "Active", "PhoneNumberView",new {userName= User.Identity.Name },null)</li> 
         <li>@Html.ActionLink("Address's", "Active", "AddressView",new {userName= User.Identity.Name },null)</li> 
         @if(!User.IsInRole("Clients")){ 
         <li>@Html.ActionLink("Subscription", "Index", "AdminView")</li>} 
        </ul> 

我點擊

@ Html.ActionLink（ 「資料」， 「EditByName」， 「用戶視圖」，新的{用戶名= User.Identity.Name}，新的{@class = 「選擇」}）

CONTROLLER

[ValidateAntiForgeryToken] 
    public ActionResult EditByName(string userName)//EditByName 
    { 
     if (User.Identity.IsAuthenticated) 
     { 
      UserModel usermodel = repository.Get(User.Identity.Name);// db.UserModels.Find(id); 
      if (usermodel == null) 
      { 
       return RedirectToAction("Create","UserView", User.Identity.Name); 
      } 
      return View(usermodel); 
     } 
     else { return RedirectToAction("Login", controllerName: "AccountView"); } 
    } 

這是當發生錯誤。我不知道什麼是缺少的，我創建的令牌，它是在所有的形式。

Answer 1

您正在使用GET操作（EditByName操作）上的[ValidateAntiForgeryToken]，而其目的是處理POST操作。

看到這個question在[ValidateAntiForgeryToken]目的和這article解釋如何防止使用它的CSRF攻擊。

Answer 2

從EditByNameGET-action方法中刪除[ValidateAntiForgeryToken]。

此外，使用[Authorize] atrribute而不是if (User.Identity.IsAuthenticated)。

並且可能任何用戶編輯任何配置文件，只要他們知道用戶名？