Security problem when logging off and navigating to '/controller/action'_问答_开发者

Security problem when logging off and navigating to '/controller/action'

开发者 https://www.devze.com 2023-01-13 00:14 出处：网络

I am using ASP.NET MVC2 and have a problem. After Log off I manually type into the adress bar http://localhost/controller/action and I\'m redirected to the page regardless of what I am LogOff . How do

I am using ASP.NET MVC2 and have a problem. After Log off I manually type into the adress bar http://localhost/controller/action and I'm redirected to the page regardless of what I am LogOff . How do I solve this security risk?

Code of some controller action who I am manual type on adress bar:

[Authorize(Roles = "Admin")]
public ActionResult Upload()
{       
    return View();
}

<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master" Inherits="System.Web.Mvc.ViewPage" %>

<asp:Content ID="Content1" ContentPlaceHolderID="TitleContent" runat="server">

Upload

<asp:Content ID="Content2" ContentPlaceHolderID="MainContent" runat="server">
    <h2>Upload</h2>
    <% using (Html.BeginForm("Upload", "Upload", FormMethod.Post, new { enctype="multipart/form-data" }))
    { %>
          Select a file: <input type="file" name="fileUpload" id="fileUpload" />  
          <input type="submit" value="Upload";/>
      <% 
    } %>
</asp:Content>

Update: Now I have discovered that I can manualy type in adress bar controller and action name and open pages on my web site before login, why

LogOn and LogOff actions:

    [AcceptVerbs(HttpVerbs.Post)]
    [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings",
        Justification = "Needs to take same parameter type as Controller.Redirect()")]
    public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl)
    {

        if (!ValidateLogOn(userName, password))
    开发者_开发知识库    {
            return View();
        }

        FormsAuth.SignIn(userName, rememberMe);
        if (!String.IsNullOrEmpty(returnUrl))
        {
            return Redirect(returnUrl);
        }
        else
        {
            return RedirectToAction("About", "Home");
        }
    }

    public ActionResult LogOff()
    {

        FormsAuth.SignOut();

        return RedirectToAction("Index", "Home");
    }

I'm found solutions: I put wrong role name ([Authorize(Roles = "Admin")]) and it was a problem with my code

Are you sure the controller and or action you are typing into the address bar has the [Authorize] attribute associated to it?

My guess:page comes from the browser cache, when you press a button submit a page you will be redirected to login page