开发者

Using the browser's back button after SignOut() allows access to secure page (ASP.NET MVC)

I have an 开发者_如何学GoMVC app that uses [Authorize] to protect the private bits. When I select the SignOut() URL it signs me out but if I hit the back button on my browser the it goes to the secure page and even lets me use the form. The action takes place and then it shows that I'm signed out. The problem is that it performs the secured action (inserting a row into my database). Then I can use the back button again and do it all over. If I use the back button after logging out and hit the browser refresh it does show I'm logged out and refuses me access to the secure page.

Am I missing something important? It seems like it could be a really big security issue.

public ActionResult LogOff(string ReturnUrl)
{

    FormsAuth.SignOut();

    if (!String.IsNullOrEmpty(ReturnUrl))
    {
        return Redirect(ReturnUrl);
    }
    else
    {

    return RedirectToAction("Index", "Page");
    }
}


I think the problem is that browser caches the page. That's why it doesn't reload the page after you click on back button. If you specify in headers that the page should not be cached, it should reload the page after hitting the back button. And then the user is refused.

However, to get it working might be tricky in some cases. See this Caching Tutorial for more info.


Clearing the session might help. here is my sign out method:

    public ActionResult Signout()
    {
        Session.Clear();
        FormsAuthentication.SignOut();
        return RedirectToAction("Index", "Home");
    }


Are you using any session information? FormsAuth.SignOut() only affects new instances of a page. When you went back, you were authorized to be there (previously). The PostBack is allowed unless you have code checking for the cookie/session/authenticity of the request. It even bypasses the global.asax because the ViewState is already generated.

You may want to add a session killing statement or provide some extra auth checks in your base classes to make sure that a user truly is authorized to be where they are, WHEN they are.

Alternatively, you can turn off page caching which should render the back button fairly useless (it'll provide the page expired default). This will create weirdness for users who rely on the back button, but it will help guarantee security of the page because it'll force a "re-render" of the page in the first place.


this is to late answer but i hope to help anyone in a time in Global.asax add this method

protected void Application_BeginRequest()
{
    Response.Cache.SetCacheability(HttpCacheability.NoCache);
    Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
    Response.Cache.SetNoStore();
}

and then after the main action add this check

if (Request.IsAuthenticated)
{
    // do something
}
else 
{
    return RedirectToAction("LoginPage", "ControllerName");
}

(main action mean any [httpget] action) and it will work greatly i hope to help

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜