为什么会User.IsInRole返回true，但不AuthorizeAttribute？ [英] Why would User.IsInRole return true, but AuthorizeAttribute not?

问题描述

我的安全ASP.NET MVC 2应用程序，而我是谁中的角色富。用户

I'm securing an ASP.NET MVC 2 application, and I have a user who is in the role "Foo".

这是正确的：

User.IsInRole("Foo")

不过不失，当我试图锁定类似下面的控制器操作，用户被拒绝：

But yet, when I attempt to lock down a controller action like the following, the user is denied:

[Authorize(Roles = "Foo")]
public ActionResult PrivatePage()
{
    return View();
}

如果IsInRole报道属实，为什么会授权属性不允许用户？

If IsInRole reports true, why would the Authorize attribute not allow the user in?

推荐答案

它可以，如果你存储永久性Cookie您的窗体身份验证cookie造成的。在这种情况下IsInRole可以检查对cookie的未经核实的最新登录。

It could be caused if you are storing persistent cookies for your forms authentication cookie. In that scenario IsInRole may check against the cookie without verifying up to date login.

这篇关于为什么会User.IsInRole返回true，但不AuthorizeAttribute？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！