的OutputCache并授权滤波器MVC3 [英] OutputCache and Authorize filters in MVC3
问题描述
我正在读一本关于MVC2,并在部分的OutputCache它规定:
I am reading a book about MVC2, and in the OutputCache section it states:
警告在前面的授权过滤器是怎样互动
与输出缓存,我解释说,[授权]有特殊
行为,以确保未经授权的访问者无法获取敏感
只是因为它已经缓存的信息。 但是,除非你
特别是prevent它,它仍然可能是缓存的产量可能
被输送到不同的授权用户一个比对他们来说
最初产生的。单向至prevent这将是
实现您的访问控制特定内容项目作为
授权过滤器(从AuthorizeAttribute派生)而不是
简单地执行授权逻辑内联的操作方法,
因为AuthorizeAttribute知道如何避免输出被绕过
缓存。仔细测试,以确保授权和输出
缓存在您希望的方式进行交互。
Warning In the earlier section "How Authorization Filters Interact with Output Caching," I explained that [Authorize] has special behavior to ensure that unauthorized visitors can’t obtain sensitive information just because it’s already cached. However, unless you specifically prevent it, it’s still possible that cached output could be delivered to a different authorized user than the one for whom it was originally generated. One way to prevent that would be to implement your access control for a particular content item as an authorization filter (derived from AuthorizeAttribute) instead of simply enforcing authorization logic inline in an action method, because AuthorizeAttribute knows how to avoid being bypassed by output caching. Test carefully to ensure that authorization and output caching are interacting in the way you expect.
在MVC3这仍然是真的吗?
Is this still true in MVC3?
如果肯定的,有什么办法prevent这种事情发生? (因为书中的解释是太模糊)。
If affirmative, what is the way to prevent that of happening? (because the explanation in the book is too vague).
问候。
推荐答案
我想是的。
当您使用的OutputCache缓存数据,这些数据在全球范围内缓存。只要一个用户被授权,用户将得到高速缓存数据。
When you are using OutPutCache to cache data, these data are cached globally. As long as a user is authorized, the user will get cached data.
是的,我们拥有的OutputCache的VaryByParam选项,但它也创造了通过每个不同的参数一个新的高速缓存。这意味着它仍然是全球范围内。
Yes we have "VaryByParam" options for outputcache, but it also creates a new cache for every different parameter passed. which means it's still globally.
因此,如果你希望缓存根据用户不同的数据,的OutputCache可能不是这样做的正确方法。如果数据是特定的用户,会话是正确的选择。这就是生活会话为
So if you want to cache different data based on users, outputcache may not be the right way doing it. If data is user specific, session is the right choice. it's what session lives for
这篇关于的OutputCache并授权滤波器MVC3的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
