Using ASP.NET MVC OutputCache while varying View content based on whether user is authenticated

The [OutputCache] and [Authorize] attributes play well with one another. The AuthorizeAttribute.OnAuthorization() method sets a hook into the output caching system that forces the authorization filter to re-run before the page is served from the cache. If the authorization filter logic fails, it will be treated as a cache miss. If the authorization logic succeeds, the page will be served from the cache. So if you have [Authorize(Roles = "Moderator, Administrator")] and [OutputCache] on an action, the page will not be served from the cache unless the current user is in the Moderator or Administrator roles.

Note that this does not vary by user or role; it's literally re-running the original check. Imagine that User A (who is a Moderator) comes in and causes the page to be cached. Now User B (who is an Administrator) comes in and hits the cached page. The [Authorize] check will succeed since both Administrator and Moderator are allowed, and the response served to User B will contain the exact same contents as the response that was served to User A.

Note that response substitution does not work in MVC 2. If you're serving potentially sensitive data, the best bet here is not to cache it. If you absolutely need to cache, you can mimic something similar to response substitution by using an AJAX callback to dynamically fill in the missing data.

What if I have a method that doesn't require authorization but adds an Edit link inside the View if the user is a moderator? In this case, I'm trying to accomplish something that resembles how the link, flag, edit, and other buttons under a question or answer here work - doesn't SO use OutputCache, too? Thanks for your answer!

Maxim Zaslavsky 2010-08-10 02:35:24

I just stumbled across http://blog.stevensanderson.com/2008/10/15/partial-output-caching-in-aspnet-mvc/ (about an old problem that was later fixed), which gave me an idea - if OutputCache is so bad with this, is it possible to **build a custom caching attribute/filter** that creates different copies based on whether the user is logged-in and what roles the user is in - or better yet, what the username is, as I'm going to write the name of the user at the top of the page - **is that possible**?

Maxim Zaslavsky 2010-08-10 02:51:47

It's generally a bad idea to cache per-user, as your cache is going to be flooded with entries. If donut caching is important to your scenario, you could also use a response filter. At the beginning of the request, install a filter that understands some [!! SUBSTITUTION DATA !!] pattern, have your WriteSubstitute() write this pattern to the response stream, then at the end of the request your filter would call into the actual Response.WriteSubstitution() method.

Levi 2010-08-10 17:44:38

To answer your question re: varying by pretty much anything (including username), see http://aspadvice.com/blogs/ssmith/archive/2007/10/29/VaryByCustom-Caching-By-User.aspx and http://msdn.microsoft.com/en-us/library/system.web.mvc.outputcacheattribute.varybycustom.aspx. Remember though that this is not recommended.

Levi 2010-08-10 17:47:15

I ended up completely cutting caching for authenticated users on the advice of Jeff Atwood at http://meta.stackoverflow.com/questions/60403/how-does-stack-overflow-do-caching/60406#60406

Maxim Zaslavsky 2010-08-12 05:04:46

ansaurus

tags:

views:

answers:

Using ASP.NET MVC OutputCache while varying View content based on whether user is authenticated

related questions