重定向到一个页面，endResponse真VS CompleteRequest和安全线 [英] Redirect to a page with endResponse to true VS CompleteRequest and security thread

问题描述

立足这个问题和答案有，我喜欢要问什么是重定向的正确方法。

Base on this questions and the answers there, I like to ask what is the proper way of redirecting.

使用重定向（URL，endResponse）是默认方式扔 ThreadAbortException ，因为被称为与 endResponse = TRUE 调用结束（）法等，如果你使用它一个try / catch块中，显示有此例外< /一>以及可以假定为错误的，但实际上是一个用户正在尝试通过停止页面处理的其余部分重定向到一个页

The default way using the Redirect(url, endResponse) is throw the ThreadAbortException because is called with endResponse=true that calls the End() method and so, if you use it inside a try/catch block, this exception shown there and that can be assumed as error, but actually a user is try to redirect to a page by stopping the rest of the page processing.

其他可能的方法是调用重定向（URL，endResponse）与 endResponse = FALSE 继 HttpContext.Current.ApplicationInstance.CompleteRequest（）; 通过使用你没有得到任何异常

The other possible ways is to call the Redirect(url, endResponse) with endResponse=false following by HttpContext.Current.ApplicationInstance.CompleteRequest(); By using that you do not get any exceptions.

所以，问题是什么是更好的使用和为什么。

So the question is what is better to use and why.

推荐答案

您必须始终呼叫重定向 endRespose = TRUE 或其他任何黑客就可以看到最新的页面上通过简单的按住重定向。

You must call the redirect always with endRespose=true or else any hacker can see whats on the page by simple hold the redirect.

要证明我使用 NoRedirect 插件的Firefox举行重定向。然后，我测试两种情况，这里是结果：

To prove that I use the NoRedirect plugin for Firefox to hold the redirect. Then I test the two cases and here is the results:

我有里面的文本一个简单的页面

I have a simple page with that text inside it

<form id="form1" runat="server">
<div>
I am making a redirect - you must NOT see this text.
</div>
</form>

然后在页面加载设法与这两种情况下重定向：

and then on Page load try to make the redirect with both cases:

一情况下，使用完整的请求（）;

First case, using the Complete Request();

    try
    {
        // redirect with false that did not throw exception
        Response.Redirect("SecondEndPage.aspx", false);
        // complete the Request
        HttpContext.Current.ApplicationInstance.CompleteRequest();
    }
    catch (Exception x)
    {

    }

和那里的繁荣，你可以看到最新的页面里面！

and there boom, you can see whats inside the page !

和第二种情况

try
{
    // this is throw the ThreadAbortException exception
    Response.Redirect("SecondEndPage.aspx", true);
}
catch (ThreadAbortException)
{
    // ignore it because we know that come from the redirect
}
catch (Exception x)
{

}

现在没有任何显示。

Nothing shown now.

所以，如果你不喜欢一个黑客看到最新页面上，您必须endResponse为true 调用它，阻止功能是由什么其他的处理-eg回报，而不是继续。

So if you do not like a hacker to see whats on your page, you must call it with endResponse to true and stop what other processing is made -eg return from function and not continue.

例如，如果你检查，如果用户进行身份验证，他可以看到，页面或如果不是他必须重定向登录，甚至在登录，如果你试图给他重定向与endResponse为false，那么持有重定向黑客可以看 - 你所相信的，可不会因为你使用重定向

If for example you check if the user is authenticated he can see that page or if not he must redirect to login, and even in the login if you try to redirect him with endResponse to false, then holding the redirect the hacker can see - what you believe that can not because you use the Redirect.

我的基本观点这里是要表明存在，如果你不停止发送数据返回给浏览器的安全线。重定向是一个标题和指令到浏览器，但你需要停止发送任何其他数据的同时，你必须停止发送网页的其他部分。

My basic point here is to show the security thread that exist if you are not stop to send data back to the browser. The redirect is a header and instruction to the browser, but at the same time you need to stop send any other data, you must stop send any other part of your page.

这篇关于重定向到一个页面，endResponse真VS CompleteRequest和安全线的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！