绑定操作参数要求cookies在ASP.NET MVC - 发生了什么? [英] Binding action parameters to request cookies in ASP.NET MVC - what happened?
问题描述
在ASP.NET MVC的早期几个previews,参数控制方法,将通过检查查询字符串,那么形式解决,那么cookie和服务器变量的集合,如记录在<一个href=\"http://stephenwalther.com/blog/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx\"相对=nofollow>此帖来自斯蒂芬·瓦尔特。
In several early previews of ASP.NET MVC, arguments to controller methods would be resolved by inspecting the query string, then the form, then the cookies and server variables collections, as documented in this post from Stephen Walther.
例如,这code用来工作:
For example, this code used to work:
public class MyController : Controller {
// This should bind to Request.Cookies["userId"].Value
public ActionResult Welcome(int userId) {
WebUser wu = WebUser.Load(userId);
ViewData["greeting"] = "Welcome, " + wu.Name;
return(View());
}
}
但现在运行针对候选版本,它抛出一个异常,因为它无法找到用户id的值,即使用户id肯定会出现在请求中的Cookie。
but now running against the release candidate, it throws an exception because it can't find a value for userId, even though userId definitely appears in the request cookies.
当时这种变化在发行说明中所涵盖的任何地方?如果这是一个变化的框架,是现在有一个建议的替代以这种方式结合饼干和服务器变量?
Was this change covered anywhere in the release notes? If this is a change to the framework, is there now a recommended alternative to binding cookies and server variables in this way?
编辑:多亏了那些你至今谁反响热烈。我可能已经选择了一个坏榜样,以证明这一点;我们code使用cookies各种形式的方便,但非必要的持久性(记忆搜索结果进行排序,这样的事),所以它绝不是单纯的认证问题。依靠用户的Cookie的安全问题是有据可查的;我更感兴趣的是为获取cookie值灵活,容易测试的技术,目前的建议。 (我敢肯定,你可以AP preciate,上面的例子可能有安全隐患,但非常,非常容易测试!)
Thanks to those of you who have responded so far. I may have picked a bad example to demonstrate this; our code uses cookies for various forms of "convenient" but non-essential persistence (remembering ordering of search results, that kind of thing), so it's by no means purely an authentication issue. The security implications of relying on user cookies are well documented; I'm more interested in current recommendations for flexible, easily testable techniques for retrieving cookie values. (As I'm sure you can appreciate, the above example may have security implications, but is very, very easy to test!)
推荐答案
我相信这是对安全的影响是说服他们把这些出来:
I believe it was the security implications that persuaded them to take these out:
在斯蒂芬瓦尔特的帖子<一的意见href=\"http://stephenwalther.com/blog/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx\"相对=nofollow> ASP.NET MVC提示15 ,导致菲尔哈克的发布的羊皮用户输入,尤其是他的意见的这里:
The comments in Stephen Walther's post ASP.NET MVC Tip 15, leading to Phil Haack's posting User Input in Sheep's Clothing, especially his comment here:
@Troy - 第一步是从该行首先想到的劝阻开发者。 ;)步骤一素(并行)是我们要删除此行这种情况下,思维的可能性
@Troy - Step one is to dissuade devs from that line of thinking in the first place. ;) Step one prime (in parallel) is for us to remove the possibility of this line of thinking in this case.
较大的问题依然存在,我们可以把这种变化(讨论这个问题,我们可能会之后),但是,这并不意味着它是突然的安全信任操作方法的参数。
The larger point still stands, we can make this change (after discussing it, we probably will), but that doesn't mean that it's suddenly safe to trust action method parameters.
再加上你将如何调用这些方法从不同的动作建设者类的并发症。
Coupled with the complications of how you would call these methods from the various action builder classes.
我似乎无法找到任何明确的文档这种或那种方式对控制器的行为就像比斯蒂芬的留言本等,所以我想这是悄悄地放弃了。
I can't seem to find any explicit documentation one way or another about the controllers behaving like this other than Stephen's post, so I guess it was "quietly dropped".
这篇关于绑定操作参数要求cookies在ASP.NET MVC - 发生了什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
