使用 endResponse 重定向到真正的 VS CompleteRequest 和安全线程的页面 [英] Redirect to a page with endResponse to true VS CompleteRequest and security thread
问题描述
基于这个问题和那里的答案,我喜欢请问什么是正确的重定向方式.
使用Redirect(url, endResponse)的默认方式抛出 ThreadAbortException 因为它是用 endResponse=true 调用的,它调用了 End() 方法,所以,如果你在 try/中使用它catch 块,此 此处显示的异常 可以假定为错误,但实际上用户是尝试通过停止页面处理的其余部分重定向到页面.
其他可能的方法是调用 Redirect(url, endResponse) 和 endResponse=false,然后是 HttpContext.Current.ApplicationInstance.CompleteRequest(); 使用它不会有任何异常.
所以问题是什么更好用以及为什么.
您必须始终使用 endRespose=true 调用重定向,否则任何黑客都可以通过简单地保持重定向来查看页面上的内容.
为了证明我在 Firefox 中使用了 NoRedirect 插件保持重定向.然后我测试了这两种情况,结果如下:
我有一个简单的页面,里面有那个文本
</表单>
然后在页面加载时尝试在两种情况下进行重定向:
第一种情况,使用 Complete Request();
试试{//使用未抛出异常的 false 重定向Response.Redirect("SecondEndPage.aspx", false);//完成请求HttpContext.Current.ApplicationInstance.CompleteRequest();}捕获(异常 x){}然后繁荣,您可以看到页面内的内容!
第二种情况
试试{//这是抛出 ThreadAbortException 异常Response.Redirect("SecondEndPage.aspx", true);}捕获(线程中止异常){//忽略它,因为我们知道它来自重定向}捕获(异常 x){}现在没有显示.
因此,如果您不喜欢黑客查看您页面上的内容,您必须将 endResponse 设置为 true 调用它并停止其他处理 - 例如从函数返回而不是继续.
例如,如果您检查用户是否通过身份验证,他可以看到该页面,否则他必须重定向到登录,甚至在登录时,如果您尝试使用 endResponse 将他重定向为 false,那么保持重定向黑客可以看 - 您认为不能,因为您使用了重定向.
我的基本观点 这里是展示如果您不停止将数据发送回浏览器,则存在的安全线程.重定向是浏览器的标头和指令,但同时您需要停止发送任何其他数据,您必须停止发送页面的任何其他部分.
Base on this questions and the answers there, I like to ask what is the proper way of redirecting.
The default way using the Redirect(url, endResponse) is throw the ThreadAbortException because is called with endResponse=true that calls the End() method and so, if you use it inside a try/catch block, this exception shown there and that can be assumed as error, but actually a user is try to redirect to a page by stopping the rest of the page processing.
The other possible ways is to call the Redirect(url, endResponse) with endResponse=false following by HttpContext.Current.ApplicationInstance.CompleteRequest(); By using that you do not get any exceptions.
So the question is what is better to use and why.
You must call the redirect always with endRespose=true or else any hacker can see whats on the page by simple hold the redirect.
To prove that I use the NoRedirect plugin for Firefox to hold the redirect. Then I test the two cases and here is the results:
I have a simple page with that text inside it
<form id="form1" runat="server">
<div>
I am making a redirect - you must NOT see this text.
</div>
</form>
and then on Page load try to make the redirect with both cases:
First case, using the Complete Request();
try
{
// redirect with false that did not throw exception
Response.Redirect("SecondEndPage.aspx", false);
// complete the Request
HttpContext.Current.ApplicationInstance.CompleteRequest();
}
catch (Exception x)
{
}
and there boom, you can see whats inside the page !
And second case
try
{
// this is throw the ThreadAbortException exception
Response.Redirect("SecondEndPage.aspx", true);
}
catch (ThreadAbortException)
{
// ignore it because we know that come from the redirect
}
catch (Exception x)
{
}
Nothing shown now.
So if you do not like a hacker to see whats on your page, you must call it with endResponse to true and stop what other processing is made -eg return from function and not continue.
If for example you check if the user is authenticated he can see that page or if not he must redirect to login, and even in the login if you try to redirect him with endResponse to false, then holding the redirect the hacker can see - what you believe that can not because you use the Redirect.
My basic point here is to show the security thread that exist if you are not stop to send data back to the browser. The redirect is a header and instruction to the browser, but at the same time you need to stop send any other data, you must stop send any other part of your page.
这篇关于使用 endResponse 重定向到真正的 VS CompleteRequest 和安全线程的页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
