为什么一旦在操作级别使用 [RequireHttps] 启用 SSL,它就会永远保持启用状态?
我们只想在严格要求时才使用 https。为什么在调用如下操作后它会永远保持启用状态?
[RequireHttps]
public ActionResult LogIn()
{
if(Request.IsAuthenticated)
return RedirectToAction("Index", "Account");
return View();
}
当不需要时我们可以做什么来禁用它?
谢谢。
We want to use https only when strictly required. Why after calling an action like below it remains enabled forever?
[RequireHttps]
public ActionResult LogIn()
{
if(Request.IsAuthenticated)
return RedirectToAction("Index", "Account");
return View();
}
What can we do to disable it when not needed?
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
[RequireHttps] 属性可以用在控制器类型或操作方法上,表示“只能通过 SSL 访问”。对控制器或操作的非 SSL 请求将被重定向到 SSL 版本(如果是 HTTP GET)或被拒绝(如果是 HTTP POST)。如果您愿意,您可以重写 RequireHttpsAttribute 并更改此行为。没有内置的 [RequireHttp] 属性可以起到相反的作用,但如果您愿意,您可以轻松创建自己的属性。
还有 Html.ActionLink() 的重载,它采用协议参数;您可以明确指定“http”或“https”作为协议。以下是关于此类重载的 MSDN 文档。如果您未指定协议或者调用没有协议参数的重载,则假定您希望链接具有与当前请求相同的协议。
我们在 MVC 中没有 [RequireHttp] 属性的原因是它没有太多好处。它不像[RequireHttps]那么有趣,而且它鼓励用户做错误的事情。例如,许多网站通过 SSL 登录,并在您登录后重定向回 HTTP,这绝对是错误的做法。您的登录 cookie 与您的用户名 + 密码一样保密,现在您可以通过网络以明文形式发送它。此外,在 MVC 管道运行之前,您已经花时间执行握手并保护通道(这是使 HTTPS 比 HTTP 慢的主要原因),因此 [RequireHttp] 不会发出当前请求或将来的请求请求速度更快。
如果您托管 utube,请将嵌入更改为使用 HTTPS 而不是 HTTP
如果您在没有正确注销的情况下从 HTTPS 下拉到 HTTP(请参阅 http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx )您的用户名+密码是公开的。仅仅调用 SignOut 是不够的。
The [RequireHttps] attribute can be used on a controller type or action method to say "this can be accessed only via SSL." Non-SSL requests to the controller or action will be redirected to the SSL version (if an HTTP GET) or rejected (if an HTTP POST). You can override the RequireHttpsAttribute and change this behavior if you wish. There's no [RequireHttp] attribute built-in that does the opposite, but you could easily make your own if you desired.
There are also overloads of Html.ActionLink() which take a protocol parameter; you can explicitly specify "http" or "https" as the protocol. Here's the MSDN documentation on one such overload. If you don't specify a protocol or if you call an overload which doesn't have a protocol parameter, it's assumed you wanted the link to have the same protocol as the current request.
The reason we don’t have a [RequireHttp] attribute in MVC is that there’s not really much benefit to it. It’s not as interesting as [RequireHttps], and it encourages users to do the wrong thing. For example, many web sites log in via SSL and redirect back to HTTP after you’re logged in, which is absolutely the wrong thing to do. Your login cookie is just as secret as your username + password, and now you’re sending it in cleartext across the wire. Besides, you’ve already taken the time to perform the handshake and secure the channel (which is the bulk of what makes HTTPS slower than HTTP) before the MVC pipeline is run, so [RequireHttp] won’t make the current request or future requests much faster.
If you're hosting utube, change your embedding to use HTTPS rather than HTTP
If you drop down to HTTP from HTTPS without correctly signing out (see http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx ) your username + password is wide open. It's not enough to call SignOut.
我使用此操作过滤器,当 https 操作完成时,它会重定向回 http:
I use this action filter that redirects back to http when the https action is completed: