重定向到 returnUrl 如何在 Asp.Net MVC5 中工作 [英] How does redirect to returnUrl work in Asp.Net MVC5
问题描述
我已经开始了一个新的 MVC 5 站点,使用新的 Asp.Net Identity 和 Owin.在具有 [Authorize] 属性的帐户"控制器中,我有相当标准的操作;
//GET:/User/Login[允许匿名]公共 ActionResult 登录(字符串 returnUrl){ViewBag.ReturnUrl = returnUrl;返回视图();}//POST:/用户/登录[HttpPost][允许匿名][验证AntiForgeryToken]公共异步任务登录(LoginViewModel 模型,字符串 returnUrl){尝试{如果(模型状态.IsValid){var userApi = new UserService();var apiUser = await userApi.LogIn(UserManager, model.CardNumber, model.Pin, model.RememberMe);如果(apiUser != null){等待 SignInAsync(apiUser, model.RememberMe);如果 (string.IsNullOrEmpty(returnUrl)){return RedirectToAction("UserLoggedIn", "User");}}别的{ModelState.AddModelError("", "无效的用户名或密码.");}}}捕获(异常前){Trace.TraceError("无法登录{0}", ex.ToString());Response.AppendToLog(ex.ToString());ModelState.AddModelError("", ex.ToString());}//如果我们到了这一步,有些事情失败了,重新显示表单返回视图(模型);} 我的问题是关于 returnUrl 行为,上面的代码的工作原理是,如果用户未登录并在具有 [Authorize] 属性的控制器中调用操作,它会被发送到登录上面的操作,然后返回到请求的控制器/操作.哪个很棒,但是如何?安全吗?
在这篇关于防止开放重定向攻击的文章中"(对于早期版本的 Asp.Net MVC)建议在执行重定向之前检查 returnUrl 是否是本地 url,是我仍然应该做的事情还是现在由框架处理?
干杯,欧拉
您需要使用此方法检查 url 是否确实是本地的(框架不会自动处理):http://msdn.microsoft.com/en-us/library/system.web.mvc.urlhelper.islocalurl%28v=vs.118%29.aspx
if (!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl)){返回重定向(returnUrl);}I've started a new MVC 5 site, using the new Asp.Net Identity with Owin. In my "account" controller which has the attribute [Authorize], I have fairly standard actions;
// GET: /User/Login
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
ViewBag.ReturnUrl = returnUrl;
return View();
}
// POST: /User/Login
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
try
{
if (ModelState.IsValid)
{
var userApi = new UserService();
var apiUser = await userApi.LogIn(UserManager, model.CardNumber, model.Pin, model.RememberMe);
if (apiUser != null)
{
await SignInAsync(apiUser, model.RememberMe);
if (string.IsNullOrEmpty(returnUrl))
{
return RedirectToAction("UserLoggedIn", "User");
}
}
else
{
ModelState.AddModelError("", "Invalid username or password.");
}
}
}
catch (Exception ex)
{
Trace.TraceError("Cannot login {0}", ex.ToString());
Response.AppendToLog(ex.ToString());
ModelState.AddModelError("", ex.ToString());
}
// If we got this far, something failed, redisplay form
return View(model);
}
My question is in regards to the returnUrl behavior, the code above works in the sense that, if a user is not logged in and calls a action in a controller that has the attribute [Authorize], it gets sent to the login actions above and then returned to the controller/action that was requested. Which is great, BUT how?? And is it safe?
In this article about "Preventing open redirect attacks"(for earlier versions of Asp.Net MVC) the recommendation is to do a check on the returnUrl that it's a local url before doing the redirect, is that something I should still do or is it now handled by the framework?
Cheers, Ola
You need to check if the url is local indeed using this method (it is not handled by the framework automatically): http://msdn.microsoft.com/en-us/library/system.web.mvc.urlhelper.islocalurl%28v=vs.118%29.aspx
if (!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
这篇关于重定向到 returnUrl 如何在 Asp.Net MVC5 中工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
