使用ASP.NET MVC的OutputCache同时根据用户是否经过验证不同的查看内容 [英] Using ASP.NET MVC OutputCache while varying View content based on whether user is authenticated

问题描述

我建立一个ASP.NET MVC 2网站，在这里我使用的OutputCache参数严重。不过，我有一个问题：使用这样的缓存可能会干扰认证

I'm building an ASP.NET MVC 2 site where I'm using the OutputCache parameter heavily. However, I have a concern: using such caching may interfere with authentication.

在我所有的网页，我显示用户是否登录或没有。此外，在一些我的看法，我做的一个基于用户角色过滤来决定是否显示某些页面内容（例如，在我的网页之一的修改的链接只显示给用户在版主或管理员）的角色

On all of my pages, I display whether the user is logged in or not. Furthermore, in some of my Views, I do filtering based on user role to determine whether or not to display some page content (for example, the Edit link on one of my pages is only shown to users in the roles of Moderator or Administrator).

使用会干扰的OutputCache我的意见的这种动态变化？如果是这样，我怎么能解决这个问题，而消除缓存？

Will using OutputCache interfere with this dynamic changing of my Views? If so, how can I resolve this problem without eliminating caching?

推荐答案

在[的OutputCache]和[授权]属性彼此发挥出色。该AuthorizeAttribute.OnAuthorization（）方法设置一个钩子成强制重新运行授权过滤器的页面是从缓存中之前的输出缓存系统。如果授权滤波器逻辑失败，它将被视为高速缓存未命中。如果授权逻辑成功，页面会从缓存提供服务。所以，如果你有[授权（角色=版主，管理员）]和[的OutputCache]上一个动作，该页面将不会从缓存中，除非当前用户是主持人或管理员的角色。

The [OutputCache] and [Authorize] attributes play well with one another. The AuthorizeAttribute.OnAuthorization() method sets a hook into the output caching system that forces the authorization filter to re-run before the page is served from the cache. If the authorization filter logic fails, it will be treated as a cache miss. If the authorization logic succeeds, the page will be served from the cache. So if you have [Authorize(Roles = "Moderator, Administrator")] and [OutputCache] on an action, the page will not be served from the cache unless the current user is in the Moderator or Administrator roles.

请注意，这的不的用户或角色各不相同;它的字面重新运行原有的检查。试想一下，用户A（谁是主持人）进来，导致页面被缓存。现在，用户B（谁是管理员）进来，命中缓存页面。在[授权]复选框会成功，因为这两个管理员和版主是允许的，并且响应提供给用户B将包含的完全一样的内容的作为被提供给用户A的响应。

Note that this does not vary by user or role; it's literally re-running the original check. Imagine that User A (who is a Moderator) comes in and causes the page to be cached. Now User B (who is an Administrator) comes in and hits the cached page. The [Authorize] check will succeed since both Administrator and Moderator are allowed, and the response served to User B will contain the exact same contents as the response that was served to User A.

请注意，如果你提供潜在的敏​​感数据响应替换不会在MVC 2的工作，这里的最好的办法是不要缓存它。如果你绝对需要缓存，您可以通过使用AJAX回调中的丢失数据动态填充模仿类似的响应替代的东西。

Note that response substitution does not work in MVC 2. If you're serving potentially sensitive data, the best bet here is not to cache it. If you absolutely need to cache, you can mimic something similar to response substitution by using an AJAX callback to dynamically fill in the missing data.

这篇关于使用ASP.NET MVC的OutputCache同时根据用户是否经过验证不同的查看内容的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！