窗体身份验证给出了太长时间的查询字符串 [英] forms authentication gives a too long query string
问题描述
我试着做一个(临时)存储登录的用户在我的web.config文件。
添加拒绝web.config文件后,它给了我这个错误
HTTP错误404.15 - 未找到
请求筛选模块被配置为拒绝请求在查询字符串太长。该网址看起来像这样
<$p$p><$c$c>http://localhost/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FAccount%252525252525252525252525252525252525252FLogin%252525252525252525252525252525252525253FReturnUrl%252525252525252525252525252525252525253D%25252525252525252525252525252525252525252F
(不否认它设置cookie,但我仍然可以访问所有的页面)
这是它的外观在我的web.config
&LT;身份验证模式=表格&GT;
&LT;形式loginUrl =〜/帐号/登录NAME =。ASPXAUTHslidingExpiration =真正的超时=1440路径=/defaultUrl =〜/&GT;
&LT;凭证了passwordFormat =清除&GT;
&lt;使用者名称=matchUser80密码=123Match789/&GT;
&LT; /凭证&GT;
&LT; /形式GT;
&LT; /认证&GT;&LT;授权&GT;
&LT;拒绝用户=? /&GT;
&LT; /授权&GT;和我的控制器
[HttpPost]
公众的ActionResult登录(LoginModel型号,串RETURNURL)
{
如果(!ModelState.IsValid)
{
返回查看(模型);
} 如果(FormsAuthentication.Authenticate(model.UserName,model.Password))
{
FormsAuthentication.SetAuthCookie(model.UserName,FALSE);
FormsAuthentication.RedirectFromLoginPage(model.UserName,FALSE);
如果(RETURNURL!= NULL)
{
返回重定向(RETURNURL);
}
返回查看();
} ModelState.AddModelError(的String.Empty,错误的用户名或密码);
返回查看(模型);
}我使用MVC 5。
解决方案您应该使用属性而不是web.config配置授权您的MVC应用程序。 Web配置的配置只能用web表单应用程序使用。
装饰你的登录操作(GET和POST两种版本)与
[使用AllowAnonymous]属性。用户
[授权]属性,其他控制器。读<一个href=\"http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx\"相对=nofollow>这篇文章来看看如何保护您的MVC应用程序。
更新
我默认MVC项目本地再现您的问题,我有这个在我的web.config:
&LT; system.webServer&GT;
&LT;模块&gt;
&LT;清除NAME =FormsAuthentication/&GT;
&LT; /模块&gt;
&LT; /system.webServer>一切都开始工作,我评论后
&LT;清除NAME =FormsAuthentication/&GT;部分Im trying to make a (temporary) login storing the users in my web.config file. After adding deny to the web.config file it gives me this error
HTTP Error 404.15 - Not Found The request filtering module is configured to deny a request where the query string is too long.
The url looks like this
http://localhost/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FAccount%252525252525252525252525252525252525252FLogin%252525252525252525252525252525252525253FReturnUrl%252525252525252525252525252525252525253D%25252525252525252525252525252525252525252F(without deny it sets the cookie but i can still access all the pages)
This is how it looks in my web.config
<authentication mode="Forms"> <forms loginUrl="~/Account/Login" name=".ASPXAUTH" slidingExpiration="true" timeout="1440" path="/" defaultUrl="~/"> <credentials passwordFormat="Clear"> <user name="matchUser80" password="123Match789"/> </credentials> </forms> </authentication> <authorization> <deny users="?" /> </authorization>And my controller
[HttpPost] public ActionResult Login(LoginModel model, string returnUrl) { if (!ModelState.IsValid) { return View(model); } if (FormsAuthentication.Authenticate(model.UserName, model.Password)) { FormsAuthentication.SetAuthCookie(model.UserName, false); FormsAuthentication.RedirectFromLoginPage(model.UserName, false); if (returnUrl != null) { return Redirect(returnUrl); } return View(); } ModelState.AddModelError(string.Empty, "Wrong username or password"); return View(model); }I'm using MVC 5.
解决方案You should use attributes instead of web.config configuration to authorize your mvc application. Web config configuration should be used only with web form applications.
Decorate your Login action (both get and post version) with
[AllowAnonymous]attribute.User
[Authorize]attribute for other controllers.Read this article to see how to secure your mvc application.
Update
I reproduced your problem locally with default mvc project and i had this in my web.config:
<system.webServer> <modules> <remove name="FormsAuthentication" /> </modules> </system.webServer>Everything started working after i commented the
<remove name="FormsAuthentication" />part这篇关于窗体身份验证给出了太长时间的查询字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
