我正在使用ASP.NET MVC2并遇到问题。注销后,我手动输入到地址栏http://localhost/controller/action
,我被重定向到页面,无论我是什么LogOff。我如何解决这种安全风险?注销并导航到'/ controller/action'时出现安全问题
的一些控制器动作代码我是谁地址栏中手工输入:
[Authorize(Roles = "Admin")]
public ActionResult Upload()
{
return View();
}
<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master" Inherits="System.Web.Mvc.ViewPage" %>
<asp:Content ID="Content1" ContentPlaceHolderID="TitleContent" runat="server">
上传
<asp:Content ID="Content2" ContentPlaceHolderID="MainContent" runat="server">
<h2>Upload</h2>
<% using (Html.BeginForm("Upload", "Upload", FormMethod.Post, new { enctype="multipart/form-data" }))
{ %>
Select a file: <input type="file" name="fileUpload" id="fileUpload" />
<input type="submit" value="Upload";/>
<%
} %>
</asp:Content>
更新:现在我发现我可以manualy在地址栏中控制器类型和动作名称和登录前在我的网站上打开页面,为什么
登录和登出操作:
[AcceptVerbs(HttpVerbs.Post)]
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings",
Justification = "Needs to take same parameter type as Controller.Redirect()")]
public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl)
{
if (!ValidateLogOn(userName, password))
{
return View();
}
FormsAuth.SignIn(userName, rememberMe);
if (!String.IsNullOrEmpty(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("About", "Home");
}
}
public ActionResult LogOff()
{
FormsAuth.SignOut();
return RedirectToAction("Index", "Home");
}
我找到的解决办法:我把错误的角色名称([Authorize(Roles = "Admin")]
),这是我的代码
显示您的操作代码。 – 2010-08-20 21:49:49