Antiforgery goes at the end of filters#5470
Conversation
rynowak
left a comment
There was a problem hiding this comment.
Needs functional tests, also need to verify this works with [AutoValidate....] as well
|
🆙📅 |
| /// validation of antiforgery tokens by default for an application. Use | ||
| /// <see cref="IgnoreAntiforgeryTokenAttribute"/> to suppress validation of the antiforgery token for | ||
| /// a controller or action. | ||
| /// The default Order for this attribute is 1000 because it must run after any filter which does authentication |
There was a problem hiding this comment.
I would suggest putting this document on the order property. Also when you're working on doc comments, newlines in the source code are not significant. Use the <para></para> tag if you want to make paragraphs
| @@ -0,0 +1,42 @@ | |||
| using System; | |||
| "warningsAsErrors": true | ||
| }, | ||
| "dependencies": { | ||
| "AjaxAntiForgeryValidation": "1.0.0", |
There was a problem hiding this comment.
Suggest calling this SecurityWebSite
| { | ||
| Console.WriteLine(); | ||
| }); | ||
| services.AddIdentity<ApplicationUser, ApplicationRole>(config => |
There was a problem hiding this comment.
Do we need Identity here? This is pretty heavyweight. Identity is primarily concerned which information about the user, not just whether or not the user is authentic.
Suggest talking to @Tratcher about how we we could just get away with cookie middleware (which Identity uses).
There was a problem hiding this comment.
Yes, you can simplify down to cookie/forms auth
| services.AddMvc(); | ||
| services.AddAntiforgery(options => | ||
| { | ||
| Console.WriteLine(); |
|
|
||
| public IConfigurationRoot Configuration { get; } | ||
|
|
||
| // This method gets called by the runtime. Use this method to add services to the container. |
| context.Request.Path.Value.ToLower().StartsWith("/home")) | ||
| { | ||
| var tokens = antiforgery.GetAndStoreTokens(context); | ||
| context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); |
|
🆙📅 |
| @@ -22,7 +22,11 @@ namespace Microsoft.AspNetCore.Mvc | |||
| public class AutoValidateAntiforgeryTokenAttribute : Attribute, IFilterFactory, IOrderedFilter | |||
| { | |||
| /// <inheritdoc /> | |||
There was a problem hiding this comment.
Inheritdoc doesn't really work with these kinds of thing. you'll want to also provide a summary here
9d1f647 to
a0847a9
Compare
|
🆙📅 |
a0847a9 to
01b237d
Compare
Fixes aspnet/Security#1009. Since Antiforgery should be at the end of filters by default set its order to be a large number by default.