网站发布到IIS后XSRF令牌过期

Question

I am using ASP.NET Boilerplate framework, I put the below code in everypage.

@inject IAbpAntiForgeryManager AbpAntiForgeryManager

@{
    AbpAntiForgeryManager.SetCookie(Context);
}

I call the app service as below:

var xhr = abp.services.app.order.add(data);

        xhr.done(function (data) {
            alert(data);
        });

Everything works fine when I run in localhost, XSRF token will not expired even if I rebuild the project. Every time when I click [Publish website to IIS], all the ajax request will return 400 Bad Request, I guess it is because the XSRF token has expired, everything back to normal after I click F5 in browser. It was so annoying for the user, any thing I can do to prevent this error? Or auto refresh token?

Thank you!

update

error message in LOG file:

ERROR 2019-02-12 13:40:09,773 [71   ] .Antiforgery.Internal.DefaultAntiforgery - An exception was thrown while deserializing the token.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {996d31d2-0fa3-4ffe-8e82-e155c1486d33} was not found in the key ring.

Answer 1

Based on the error it sounds like your Data Protection keys have rotated on publish. Check out the docs on Data Protection here: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-2.2 . There's a bunch of options how to configure it, where to store keys etc. You'll want to change how it is storing them.

More on configuring Data Protection: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-2.2 .