为什么ASP.NET Identity中的注销使用POST而不是GET? [英] Why does Logout in ASP.NET Identity use POST instead of GET?

问题描述

示例身份项目使用它注销:/p>

The sample Identity project uses this to log out:

@if (Request.IsAuthenticated) {
  using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-right" })) {
    @Html.AntiForgeryToken()
    <ul class="nav navbar-nav navbar-right">
       <li>@Html.ActionLink("Hello " + User.Identity.GetUserName() + "!", "Index", "Manage", routeValues: null, htmlAttributes: new { title = "Manage" })</li>
       <li><a href="javascript:document.getElementById('logoutForm').submit()">Log off</a></li>
    </ul>
  }
}

AccountController.LogOff()操作方法具有[HttpPost].

我能想到的使用POST而不是GET的唯一原因是[ValidateAntiForgeryToken].而且我看不出这样做的目的，我们要做的只是注销.

The only reason I can think of to use a POST rather than a GET, is the [ValidateAntiForgeryToken]. And I don't see the purpose to that, all we're doing is logging out.

这肯定是矫kill过正吗?为什么不使用常规的GET链接?

Surely this is overkill? Why not use a regular GET link?

推荐答案

原因很简单，任何影响用户会话状态的事情都不应该是get操作. Get操作只能用于幂等操作(即，多次调用具有相同的效果，并且不会改变)状态).

The reason is simple, anything that affects the state of the users session should never be a get action. Get actions should only ever be used for idempotent actions (ie, calling it multiple times has the same effect, and does not change state).

考虑一下，原因应该很明显.浏览器可以自由缓存，甚至可以预取获取url(许多现代浏览器都可以做到这一点).您不希望浏览器意外地注销您，因为它正在预获取获取链接.

If you think about it, the reason should be obvious. Browsers are free to cache, or even pre-fetch get url's (and many modern browsers do just that). You wouldn't want the browser to accidentally log you out because it was pre-fetching a get link.

现在，对于给定的代码，这不再是问题，因为我认为浏览器不会预取与JavaScript关联的链接(尽管我可能错了).

Now, that's less of an issue with the given code, as I don't think browsers will pre-fetch links that are associated with JavaScript (although I could be wrong).

更大的问题是，如果注销是get操作，则任何未经过滤的用户发布数据都可能导致注销.例如，假设您的网站上有一个论坛，并且允许发布图像.假设某人在src="http://url-to-log-off-the-site"处发布了图片，这可能会造成很多破坏，因为如果没有注销，您甚至无法查看该页面以将其删除.

A bigger issue is, if your logoff is a get action, then any unfiltered user-posted data could cause a logoff. For instance, suppose you have a forum on your site, and you allow images to be posted. Let's say someone posts an image where the src="http://url-to-log-off-the-site", this can cause a lot of havoc, since you can't even view the page to delete it without it logging you off.

此外，在给定的示例中，还有一个用于防伪令牌的表单字段，该字段将被编码到GET中的URL中.您不想这样做.

Additionally, in the given example, there is a form field for the Anti-Forgery token, which would be encoded into the URL in a GET.. You wouldn't want to do that.

您认为使用防伪令牌是过大的，原因是您不了解防伪令牌的用途.它们旨在防止攻击者接管您的会话……并且您不希望攻击者将您注销(不要天真地认为您的站点不足以进行攻击，自动bot会漫游互联网，不在乎您的网站有多重要).

Your belief that using an anti-forgery token is overkill is because you don't understand what anti-forgery tokens are for. They're designed to prevent attackers from taking over your session... and you wouldn't want an attacker to log you out (don't be naïve enough to believe your site isn't important enough to attack, automated bots roam the internet and don't care about how important your site is).

这篇关于为什么ASP.NET Identity中的注销使用POST而不是GET?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！