I am using ASP.NET MVC2 and have a problem. After Log off I manually type into the adress bar http://localhost/controller/action and I'm redirected to the page regardless of what I am LogOff . How do I solve this security risk?
Code of some controller action who I am manual type on adress bar:
[Authorize(Roles = "Admin")]
public ActionResult Upload()
{
return View();
}
<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master" Inherits="System.Web.Mvc.ViewPage" %>
<asp:Content ID="Content1" ContentPlaceHolderID="TitleContent" runat="server">
Upload
<asp:Content ID="Content2" ContentPlaceHolderID="MainContent" runat="server">
<h2>Upload</h2>
<% using (Html.BeginForm("Upload", "Upload", FormMethod.Post, new { enctype="multipart/form-data" }))
{ %>
Select a file: <input type="file" name="fileUpload" id="fileUpload" />
<input type="submit" value="Upload";/>
<%
} %>
</asp:Content>
Update: Now I have discovered that I can manualy type in adress bar controller and action name and open pages on my web site before login, why
LogOn and LogOff actions:
[AcceptVerbs(HttpVerbs.Post)]
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings",
Justification = "Needs to take same parameter type as Controller.Redirect()")]
public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl)
{
if (!ValidateLogOn(userName, password))
{
return View();
}
FormsAuth.SignIn(userName, rememberMe);
if (!String.IsNullOrEmpty(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("About", "Home");
}
}
public ActionResult LogOff()
{
FormsAuth.SignOut();
return RedirectToAction("Index", "Home");
}
I'm found solutions: I put wrong role name ([Authorize(Roles = "Admin")]) and it was a problem with my code