授权和ASP.NET MVC缓存 [英] Authorization and ASP.NET MVC Caching
问题描述
我在ASP.NET MVC缓存和授权,并澄清一些急需困惑。
I'm confused on ASP.NET MVC caching and authorization and in dire need of some clarification.
我自制的授权属性从 AuthorizeAttribute 继承。其覆盖 AuthorizeCore 方法运行每一次,就算我设置了 [的OutputCache] 属性上的控制器的动作。我理解的那部分。
My self-made authorization attribute inherits from AuthorizeAttribute. Its overridden AuthorizeCore method runs every time, even if I set an [OutputCache] attribute on a controller action. I understand that part.
现在对我来说是脑筋急转弯: AuthorizeCore 将失败的现在,当我真正做输出缓存和页面每次从缓存提供。其原因是,当请求被高速缓存,提供的 httpContext.Session 与 AuthorizeCore 为 空 !?下面是一些简单的code:
Now the mind bender for me: AuthorizeCore will fail every time now when I actually do output caching and the page is served from the cache. The reason is that when the request is cached, the httpContext.Session supplied with AuthorizeCore is null!? Here's some simplified code:
protected override bool AuthorizeCore(HttpContextBase httpContext) {
return (Session["userId"] != null)
}
所以,如果 httpContext.Session 是空,这显然无法每次。我需要,虽然访问会话,我还能怎么检查是否请求被授权?这没有任何意义 - 如果这是应该的话,我会的从不的能够在ASP.NET MVC认证一起使用缓存的页面。帮助?
So if httpContext.Session is null, this obviously fails every time. I need to access the session though, how else can I check if the request is authorized? This doesn't make any sense - if this is how it should be then I would never be able to use cached pages together with authentication in ASP.NET MVC. Help?
推荐答案
有两个独立的问题:
- 验证是否与工作中的缓存MVC?
- 请问会议的工作在缓存面对身份验证(即使是未经验证的用户,谁仍然有希望唯一的会话)之前?
问题的答案,分别是yes和no。认证工作正常缓存。与SQL或域成员资格提供试试看;你会看到。
The answers, respectively, are yes and no. Authentication works fine with caching. Try it with the SQL or Domain membership providers; you'll see.
缓存,但是,可以验证模块之前运行。 (奖励积分:为什么?),如果它明确挂钩缓存(如AuthorizeAttribute一样)认证,才会调用。由于会话是用户特定的,还有的没有的保证你有AuthorizeCore内的会话。
Caching, however, can run before the authentication module. (For bonus points: Why?) Authentication is called only if it specifically hooks the cache (as AuthorizeAttribute does). Because sessions are user-specific, there is no guarantee you'll have a session inside of AuthorizeCore.
更多奖励积分:如何可能这一变化,如果你在你的缓存配置指定varyByUser
More bonus points: How might this change if you specified varyByUser in your cache configuration?
不幸的是,这样做认证右边是很难,因为做任何类型的担保权是很难。微软试图使这个更容易的成员资格提供API。 我强烈建议实现自定义身份验证时使用该。我还建议使用内置的供应商和延长他们,而不是重写他们只要有可能。
Unfortunately, doing authentication right is hard, because doing any kind of security right is hard. Microsoft tries to make this easier with the membership provider API. I strongly recommend using that when implementing custom authentication. I also recommend using the built-in providers and extending them instead of rewriting them whenever possible.
另一点:ASP.NET会话提供商和ASP.NET成员资格提供程序是的完全的独立。不同会员用户可以共享(!)会话,并且,<一个href=\"http://blogs.sans.org/appsecstreetfighter/2009/06/14/session-attacks-and-aspnet-part-1/\">yes,可以attack一个网站这样。它的从不安全投入与安全相关的信息在一个会话。安全性是很难的。
One other point: The ASP.NET Session provider and the ASP.NET Membership provider are entirely separate. Different membership users can share (!) a session, and, yes, you can attack a site this way. It is never safe to put security-related info in a session. Security is hard.
这篇关于授权和ASP.NET MVC缓存的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
