MVC3 应用程序日志中显示奇怪的路由
在我的一个 MVC3 Web 应用程序中,我最近注意到分析报告中有一些看起来很奇怪的 URL。
URL 看起来像是在路由中注入了编码值,但似乎与路由匹配,就好像编码值不存在一样。
正常 Url
/MyWebsite/Controller/Action
偶尔在日志中显示为
/MyWebsite/(F(B5l-uGhiwA7p6lMmAdzwc27qHH8p5Kdmy5l3ixub7-meZ315Xm-uOtFl_w8RRdki4pf_ yhRysEOVZ93xPV3yxDkn5XhXaY5PLara_kiqFb8BlHDZkzqv6wHgOgMTWgUF0))/控制器/操作
我已经在服务器和本地计算机上对此进行了测试,无论插入的值是否存在,它都会解析为控制器。
它们似乎遵循某种模式,因此我使用其他变体进行测试
/MyWebsite/(F(anything-here))/Controller/Action
解决得很好,我也可以替换 F
与任何其他字母
/MyWebsite/(A(anything-here))/Controller/Action
但是,用超过 1 个字母或其他字符代替 F 并不能解决问题
/MyWebsite/(AB(anything-here))/Controller/Action
= 404 错误
我认为这可能与 Cookieless 会话有关,但我发现的信息表明这在无论如何,MVC。有谁知道这是什么,或者是否有什么值得担心的?
编辑:
关闭本地浏览器的 cookie,我在 IIS 管理器中将会话状态设置为“自动检测”,它在 URL 中提供了一个看起来与上述模式惊人相似的键。
当我尝试在没有 Cookie 的情况下实际登录时,它似乎不起作用,但也许这是另一个问题。
将 IIS 管理器设置为“使用 Cookie”并使用关闭 Cookie 的浏览器进行访问(我使用 Opera,并在“高级首选项”中选择“从不接受 Cookie”)似乎没有像以前那样创建 URL,但从相似之处来看,它必须至少解释一下为什么它与路线匹配。
由于 IIS 在我的服务器上设置为“使用 Cookie”,我不确定为什么会生成 URL,但至少我现在知道它们是什么。也许这是会话劫持的尝试......
In one of my MVC3 web applications I have recently noticed some strange looking Urls in the analytics reports.
The Urls look like they have an encoded value injected into the route but seem to match the routes as if the encoded value was not there.
Normal Url
/MyWebsite/Controller/Action
Appears in the logs occasionally as
/MyWebsite/(F(B5l-uGhiwA7p6lMmAdzwc27qHH8p5Kdmy5l3ixub7-meZ315Xm-uOtFl_w8RRdki4pf_yhRysEOVZ93xPV3yxDkn5XhXaY5PLara_kiqFb8BlHDZkzqv6wHgOgMTWgUF0))/Controller/Action
I have tested this on the server and local machine and it resolves to the controller regardless of the presence of the inserted value.
They appear to follow a certain pattern so I tested using other variations
/MyWebsite/(F(anything-here))/Controller/Action
Resolves fine, I can also replace the F
with any other letter
/MyWebsite/(A(anything-here))/Controller/Action
However, putting more than 1 letter or other character in place of the F does not resolve
/MyWebsite/(AB(anything-here))/Controller/Action
= 404 Error
I thought it may be something to do with Cookieless sessions but the information I have found suggests that this isn't supported in MVC anyway. Does anyone know what this is, or if it is anything to worry about?
EDIT:
Turning off cookies for a local browser, I set the session state to 'Auto Detect' in IIS manager and it gave me a key in the URL that looks strikingly similar to the pattern described above.
When I try to actually log in without Cookies it doesn't seem to work, but perhaps that's another issue.
Setting IIS manager to 'Use Cookies' and accessing using a browser with cookies turned off (I used Opera with option 'Never accept cookies' in Advanced preferences) didn't seem to create the URL as before, but judging by the similarities it must at least explain why it matches the routes.
Since IIS is set to 'Use Cookies' on my server, I'm not sure why the URLs are being generated, but at least I now know what they are. Perhaps this is an attempt at Session hijacking...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这确实看起来像存储在 URL 中的会话数据。它是 ASP.NET 的一项功能,也可以与 MVC 配合使用。在 IIS 管理器中查找网站的会话状态图标,其 Cookie 设置模式很可能设置为“自动检测”。如果不支持 cookie,这可能会导致它回退到 URI 模式。
This does indeed look like session data stored in the URL. It's a feature of ASP.NET and works just fine with MVC as well. Look in the IIS manager for the Session State icon of your website and it's Cookie Settings Mode is most likely set to Auto Detect. This might cause it to fall back to URI mode in case cookies are not supported.