问题描述
我已经使用ASP.Net MVC 4中创建登录/注销功能,我用我自己的创造形式验证用户针对Active Directory。它工作正常使用的功能。
还有安全是一个大问题。一旦注销链接,他在用户点击/她成功登录并重定向到重新登录表单。在控制器code看起来像下面。
公众的ActionResult退出()
{
//尝试,包括在以下3 _Layout.cshtml线以及。但不识别。
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
Response.Cache.SetNoStore(); Session.Abandon(); 返回RedirectToAction(登录);
}
,但一旦浏览器后退按钮点击后,用户可以返回到其他页面和浏览页面直通。
我去了直通几种解决方案,不同的方法,但没有制定。看来MVC的做法是从ASP.NET表单很大的不同。鸭美元,该p $ pciate你的帮助。
(我在寻找解决这个使用C#/ MVC的方式。不使用JavaScript来禁用/关闭在注销浏览器。)
更新: code片段
[HttpPost]
公众的ActionResult登录(LoginModel AUTHUSER)
{
//调用助手获得LDAP信息。将返回用户名与团体或空
的usermodel USERPROFILE = LdapLoginHelper.AuthenticateUser(AUTHUSER); 如果(USERPROFILE!= NULL)
{
会话[用户名] = userProfile.UserName;
会话[LdapGroups] = userProfile.LdapGroups; 如果(userProfile.LdapGroups.Contains(管理员))
{
//要实现
}
其他
{
//要实现
} //成功登录。重定向到主页
返回RedirectToAction(家,家);
}
其他
{
// 登录无效。重定向到登录页面
返回RedirectToAction(登录);
}
} 公众的ActionResult退出()
{
//没有奏效
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Session.Abandon(); ///试过这一点。没有奏效。
/// Session.Clear();
/// FormsAuthentication.SignOut(); ////也尝试过这一点。没有奏效。
//// WebSecurity.Logout(); 返回RedirectToAction(登录);
}
除了这个共同_Layout.cshtml页头看起来像下面。
<!DOCTYPE HTML>
< HTML LANG =ENGT&;
< HEAD>
<间的charset =UTF-8/>
< META HTTP-EQUIV =语用内容=无缓存>
< META HTTP-EQUIV =过期的内容= - 1>
< META HTTP-EQUIV =缓存控制CONTENT =NO-CACHE>
。
。
。
从注销添加以下code在Global.asax的网页,并删除前3行()函数。
保护无效的Application_BeginRequest()
{
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
Response.Cache.SetNoStore();
}
I have created Login/ Logout functionality using ASP.Net MVC 4. I used my own created form for authenticate users against Active Directory. It is working fine with the functionality.
Still there is a big issue in security. Once user click on the logout link he/ she successfully logged out and redirected to login form again. Code in the controller looks like below.
public ActionResult Logout()
{
// Tried to include below 3 lines in _Layout.cshtml as well. But not identifying.
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Session.Abandon();
return RedirectToAction("Login");
}
BUT, once Browser back button clicked, the user can go back to the other pages and navigate thru pages.
I went thru several solutions, different approaches but none worked out. Seems the MVC approach is very different from ASP.NET forms. Appreciate your help on this.
(I'm looking to solve this using C#/ MVC way. Not using JavaScript to disable/ close the browser on logout.)
UPDATE: Code fragments
[HttpPost]
public ActionResult Login(LoginModel authUser)
{
// Call Helper to get LDAP info. Will return username with groups or null
UserModel userProfile = LdapLoginHelper.AuthenticateUser(authUser);
if (userProfile != null)
{
Session["UserName"] = userProfile.UserName;
Session["LdapGroups"] = userProfile.LdapGroups;
if (userProfile.LdapGroups.Contains("Administrators"))
{
// To be implemented
}
else
{
// To be implemented
}
// Successful login. Redirect to main page
return RedirectToAction("Home", "Home");
}
else
{
// Invalid Login. Redirect to Login page
return RedirectToAction("Login");
}
}
public ActionResult Logout()
{
// Not worked
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(System.Web.HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Session.Abandon();
/// Tried this too. Not worked.
/// Session.Clear();
/// FormsAuthentication.SignOut();
//// Tried this also. Not worked.
//// WebSecurity.Logout();
return RedirectToAction("Login");
}
In addition to this common _Layout.cshtml page header looks like below.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<meta http-equiv="CACHE-CONTROL" content="NO-CACHE">
.
.
.
add the following code in your global.asax page and remove first 3 lines from your logout() function.
protected void Application_BeginRequest()
{
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
Response.Cache.SetNoStore();
}
这篇关于用浏览器后退按钮退出问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!