我有同時使用的RequireHttps和OutputCache屬性的動作的ASP.NET MVC 3應用程序:ASP.NET MVC:OutputCache屬性忽略RequireHttps屬性?
[RequireHttps]
[OutputCache(Duration = 14400, VaryByCustom = "CurrentUser"]
public ActionResult VersionB()
{
return View();
}
,當我瀏覽到該頁面,我重定向到HTTPS,符合市場預期。
但是,在初始頁面加載後,我仍然可以通過HTTP訪問該頁面。如果我刪除OutputCache屬性,我不能再通過HTTP訪問該頁面。
看起來好像OutputCache忽略HTTPS,從而允許不安全的訪問頁面。是否可以緩存通過HTTPS提供的操作?
[RequireHttps]屬性實現存在缺陷,並沒有考慮到緩存。
這裏有一個修復:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = false)]
public class MyRequireHttpsAttribute : RequireHttpsAttribute
{
protected virtual bool AuthorizeCore(HttpContextBase httpContext)
{
return httpContext.Request.IsSecureConnection;
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (!AuthorizeCore(filterContext.HttpContext))
{
this.HandleNonHttpsRequest(filterContext);
}
else
{
var cache = filterContext.HttpContext.Response.Cache;
cache.SetProxyMaxAge(new TimeSpan(0L));
cache.AddValidationCallback(this.CacheValidateHandler, null);
}
}
private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus)
{
validationStatus = this.OnCacheAuthorization(new HttpContextWrapper(context));
}
protected virtual HttpValidationStatus OnCacheAuthorization(HttpContextBase httpContext)
{
if (!AuthorizeCore(httpContext))
{
return HttpValidationStatus.IgnoreThisRequest;
}
return HttpValidationStatus.Valid;
}
}
然後:
[MyRequireHttps]
[OutputCache(Duration = 14400, VaryByCustom = "CurrentUser"]
public ActionResult VersionB()
{
return View();
}
即使MVC 5.2這並沒有本地固定。此修復仍然很好! – 2014-10-29 18:16:33
我面臨着同樣的問題,並刪除了的OutputCache屬性得到解決.. – sajoshi 2011-04-08 09:29:55