ASP.NET MVC 3 中注销时清理浏览器缓存和 cookie 的问题
我认为这是一个很常见的话题,但我无法解决我的问题。在使用 ASP.NET MVC 3 构建的应用程序中,我使用表单身份验证和输出缓存:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" name=".CMS" protection="All" timeout="43200" cookieless="UseCookies"/>
</authentication>
<caching>
<outputCacheSettings>
<outputCacheProfiles>
<add name="Dynamic" duration="3600" location="Client" varyByParam="id" />
</outputCacheProfiles>
</outputCacheSettings>
</caching>
我的 LogOff 操作如下所示:
public ActionResult LogOff()
{
_formsService.SignOut();
return RedirectToAction("Index", "Dynamic");
}
此操作使用简单的 SignOut 方法:
public void SignOut()
{
FormsAuthentication.SignOut();
HttpContext.Current.Session.Abandon();
// clean auth cookie
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, string.Empty);
authCookie.Expires = DateTime.Now.AddDays(-1);
HttpContext.Current.Response.Cookies.Add(authCookie);
// clean session cookie
HttpCookie sessionCookie = new HttpCookie("ASP.NET_SessionId", string.Empty);
sessionCookie.Expires = DateTime.Now.AddDays(-1);
HttpContext.Current.Response.Cookies.Add(sessionCookie);
}
< em>但是问题如下:
页面http://localhost/app/dynamic/page受到保护。在登录之前我无法进入此页面。登录后,我可以浏览该页面。注销后,再次进入该页面,不幸的是我仍然可以查看其内容。
当启用缓存并且我之前访问过此类页面时,如何防止注销后访问受保护的页面?我做错了什么?饼干应该用其他方式清洗吗?
问候
It's quite common topic I think, but I can't resolve my problem. In my application build with ASP.NET MVC 3, I'm using form authentication along with output caching:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" name=".CMS" protection="All" timeout="43200" cookieless="UseCookies"/>
</authentication>
<caching>
<outputCacheSettings>
<outputCacheProfiles>
<add name="Dynamic" duration="3600" location="Client" varyByParam="id" />
</outputCacheProfiles>
</outputCacheSettings>
</caching>
My LogOff action looks folowing:
public ActionResult LogOff()
{
_formsService.SignOut();
return RedirectToAction("Index", "Dynamic");
}
this action uses simple SignOut method:
public void SignOut()
{
FormsAuthentication.SignOut();
HttpContext.Current.Session.Abandon();
// clean auth cookie
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, string.Empty);
authCookie.Expires = DateTime.Now.AddDays(-1);
HttpContext.Current.Response.Cookies.Add(authCookie);
// clean session cookie
HttpCookie sessionCookie = new HttpCookie("ASP.NET_SessionId", string.Empty);
sessionCookie.Expires = DateTime.Now.AddDays(-1);
HttpContext.Current.Response.Cookies.Add(sessionCookie);
}
But problem is following:
the page http://localhost/app/dynamic/page is protected. I cannot enter this page untill I login. After login, I have access for browsing such page. After logout, and then entering the page again, unfortunately I can still view its content.
How to prevent access to protected pages after logout, when caching is enabled and I was previously visiting such pages ? What I'm doing wrong ? The cookies should be cleaned in another way ?
Regards
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
该页面仍被缓存。您需要添加以下响应标头:
这实际上并不会阻止缓存。
cache-control响应标头的no-cache指令意味着浏览器如果您确实想要阻止缓存,请指定
no-store指令。这告诉浏览器它有关缓存控制的详细信息,请参阅 HTTP 1.1 规范及其指令。
The page is still cached. You need to add the following response header:
which doesn't actually prevent caching.
The
cache-controlresponse header'sno-cachedirective means that the browserIf you really want to prevent caching, specify the
no-storedirective. That tells the browser that itSee the HTTP 1.1 specs for details on cache-control and its directives.
看一下这篇文章 Asp.Net Mvc 无法注销 。我相信它应该提供注销和清除缓存所需的代码片段。
Take a look at this post Asp.Net Mvc Can Not Log Out . I believe it should provide the code snippet needed to logout and clear cache.
您无法从服务器清除浏览器缓存。
IMO 唯一正确的做法是使服务器端的 cookie 无效(即,即使有人知道该 cookie,他也不能再使用它),并且可以选择删除客户端上的 cookie。
在我看来,仅删除 cookie 是不够的。
You can't clear then browser cache from the server.
IMO the only right thing to do is invalidating the cookie on the server side(i.e. even if somebody gets to know the cookie he can't use it anymore), and optionally deleting the cookie on the client.
Just deleting the cookie isn't enough IMO.
您是否已验证浏览器实际上向页面 http://localhost/app/dynamic/page 发出请求(即使用Fiddler)?
如果页面是从浏览器的缓存提供的,您需要在该应用程序/动态/页面上设置缓存控制标头,以便浏览器被迫从服务器查询页面。
如果从服务器检索页面,则查看 cookie 是否仍然存在(您的 cookie 代码看起来没问题,但仍然可能有问题)或者服务器端缓存是否启动。
Have you veriifed that browser actually makes request to the page http://localhost/app/dynamic/page (i.e. using Fiddler)?
If page is served from browser's cahce you need to set cache control header on that app/dynamic/page so browser is forced to query the page from server.
If page is retrived from server than see if cookies are still there (your cookie code looks ok, but still something could be wrong) OR if server side caching kicks in.