在SignOut()之后使用浏览器的后退按钮可以访问安全页面(ASP.NET MVC) [英] Using the browser's back button after SignOut() allows access to secure page (ASP.NET MVC)
问题描述
我有一个使用[授权]保护私有位的MVC应用.当我选择SignOut()URL时,它会将我注销,但是如果单击浏览器上的后退"按钮,它将转到安全页面,甚至允许我使用该表单.该操作已发生,然后表明我已注销.问题在于它执行安全操作(将行插入到我的数据库中).然后,我可以再次使用后退"按钮并重新进行操作.如果我注销后使用后退按钮并点击浏览器刷新,它的确显示我已注销并拒绝我访问安全页面.
I have an MVC app that uses [Authorize] to protect the private bits. When I select the SignOut() URL it signs me out but if I hit the back button on my browser the it goes to the secure page and even lets me use the form. The action takes place and then it shows that I'm signed out. The problem is that it performs the secured action (inserting a row into my database). Then I can use the back button again and do it all over. If I use the back button after logging out and hit the browser refresh it does show I'm logged out and refuses me access to the secure page.
我错过了重要的事情吗?看来这可能是一个非常大的安全问题.
Am I missing something important? It seems like it could be a really big security issue.
public ActionResult LogOff(string ReturnUrl)
{
FormsAuth.SignOut();
if (!String.IsNullOrEmpty(ReturnUrl))
{
return Redirect(ReturnUrl);
}
else
{
return RedirectToAction("Index", "Page");
}
}
推荐答案
我认为问题在于浏览器缓存了页面.这就是为什么单击后退按钮后它不会重新加载页面的原因.如果您在页眉中指定不应缓存该页面,则应在单击后退"按钮后重新加载该页面.然后用户被拒绝.
I think the problem is that browser caches the page. That's why it doesn't reload the page after you click on back button. If you specify in headers that the page should not be cached, it should reload the page after hitting the back button. And then the user is refused.
但是,要使其正常工作在某些情况下可能会有些棘手. 有关更多信息,请参见此缓存教程.
However, to get it working might be tricky in some cases. See this Caching Tutorial for more info.
这篇关于在SignOut()之后使用浏览器的后退按钮可以访问安全页面(ASP.NET MVC)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
