如何重定向Asp.Net MVC5到RETURNURL工作 [英] How does redirect to returnUrl work in Asp.Net MVC5

问题描述

我已经开始了一个新的MVC 5个网站，使用新的Asp.Net身份与Owin。在我的账户控制器，它具有属性[授权]，我有相当标准的行为;

I've started a new MVC 5 site, using the new Asp.Net Identity with Owin. In my "account" controller which has the attribute [Authorize], I have fairly standard actions;

   // GET: /User/Login
        [AllowAnonymous]
        public ActionResult Login(string returnUrl)
        {
            ViewBag.ReturnUrl = returnUrl;
            return View();
        } 

// POST: /User/Login
        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
        {
            try
            {
                if (ModelState.IsValid)
                {
                    var userApi = new UserService();
                    var apiUser = await userApi.LogIn(UserManager, model.CardNumber, model.Pin, model.RememberMe);

                    if (apiUser != null)
                    {
                        await SignInAsync(apiUser, model.RememberMe);
                        if (string.IsNullOrEmpty(returnUrl))
                        {                                   
                            return RedirectToAction("UserLoggedIn", "User");    
                        }
                    }
                    else
                    {
                        ModelState.AddModelError("", "Invalid username or password.");
                    }
                }

            }
            catch (Exception ex)
            {
                Trace.TraceError("Cannot login {0}", ex.ToString());
                Response.AppendToLog(ex.ToString());
                ModelState.AddModelError("", ex.ToString());
            }
            // If we got this far, something failed, redisplay form
            return View(model);
        }

我的问题是关于在RETURNURL行为中，code以上，如果用户没有登录并调用具有属性[授权]控制器的动作在这个意义上的作品，它被发送到登录操作上面，然后返回到被请求的控制器/动作。这是伟大的，但如何？而且它是安全？

My question is in regards to the returnUrl behavior, the code above works in the sense that, if a user is not logged in and calls a action in a controller that has the attribute [Authorize], it gets sent to the login actions above and then returned to the controller/action that was requested. Which is great, BUT how?? And is it safe?

在这篇文章中关于 preventing开放重定向攻击（对于早期版本的Asp.Net的MVC）的建议是做对RETURNURL，它是做重定向之前本地网址一查，是我的东西还是应该做的还是它现在由框架处理？

In this article about "Preventing open redirect attacks"(for earlier versions of Asp.Net MVC) the recommendation is to do a check on the returnUrl that it's a local url before doing the redirect, is that something I should still do or is it now handled by the framework?

干杯，
奥拉

推荐答案

您需要检查URL是当地确实用这个方法（它不是由框架自动处理）：<一href=\"http://msdn.microsoft.com/en-us/library/system.web.mvc.urlhelper.islocalurl%28v=vs.118%29.aspx\">http://msdn.microsoft.com/en-us/library/system.web.mvc.urlhelper.islocalurl%28v=vs.118%29.aspx

You need to check if the url is local indeed using this method (it is not handled by the framework automatically): http://msdn.microsoft.com/en-us/library/system.web.mvc.urlhelper.islocalurl%28v=vs.118%29.aspx

if (!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl))
{
  return Redirect(returnUrl);
}

这篇关于如何重定向Asp.Net MVC5到RETURNURL工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！