使网页会话可能方式ASP MVC 3过期？ （QUOT; preSS后退按钮退出问题＆QUOT后; [英] Possible way to make the page session expired in ASP MVC 3? ("Press Back Button after Logout issue"

问题描述

我目前工作的MVC3的网站，用户身份验证。

I am currently working on MVC3 website with user authentication.

一息尚存，我想prevent用户从pressing后退按钮后，成功地从网页注销重新登录后，我有这样的安全问题。

I have this security issue whereby I want to prevent user from relogin back with pressing back button after successfully log out from the page.

我有很多研究解决方案，但是我不知道如何将它应用到我的项目。任何可能做到在MVC3？

I had research many solutions, however I do not understand how to apply it into my project. Any possible to do it in MVC3?

推荐答案

您没有重新登录，您只从浏览器缓存查看网页。如果您尝试调试，你会看到，没有code是在浏览器后退按钮执行。如果你试图退出和pressing回来后，点击的东西，你将被重定向到登录页面（如果你离开默认MVC3应用程序的行为）。

You are not re-logging, you are only viewing page from browser cache. If you try to debug, you will see that no code is executed on back button on browser. If you try to click something after logging out and pressing back, you will be redirected to login page(if you left default mvc3 app behavior).

有几种解决方案，这是我的看法：

There are several solutions, and this is my take:

1. 您可以进行自定义ActionFilterAttribute，以prevent缓存控制器上，和/或类似这样的行动，随后直接将其应用到动作/控制器：

1. You can make custom ActionFilterAttribute, to prevent caching on controllers, or/and actions like this, then simply apply it to action/controller:

public class NoClientCache : ActionFilterAttribute
{
    public override void OnResultExecuting(ResultExecutingContext filterContext)
    {
        filterContext.HttpContext.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
        filterContext.HttpContext.Response.Cache.SetValidUntilExpires(false);
        filterContext.HttpContext.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
        filterContext.HttpContext.Response.Cache.SetCacheability(HttpCacheability.ServerAndNoCache);
        filterContext.HttpContext.Response.Cache.SetNoStore();

        base.OnResultExecuting(filterContext);
    }
}

注销被触发浏览器的客户端执行后，您可以强制刷新

You can force refresh after logout is executed by triggering browser client-side

history.go（1）;

history.go(1);

补充：
如果从单个位置登出，你应该用第一种方法去，但如果你的注销按钮布局页面上，那就要烂在所有网页上禁用高速缓存，所以第二个方法似乎要走的路。

Added: If you are logging out from single location, you should go with first approach, but if your logout button is on layout page, it would be bad to disable caching on all pages, so 2nd approach seems the way to go.

这篇关于使网页会话可能方式ASP MVC 3过期？ （QUOT; preSS后退按钮退出问题＆QUOT后;的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！