问题:OnAuthorization是否针对每个请求进行了调用?如果没有,我在哪里可以检查会话超时 调用授权属性?
背景: 我需要一种方法来确定会话是否存在并且没有超时。我想在我的应用程序中的每个控制器的每个方法调用上执行此操作。我需要在调用授权过滤器之前执行此操作,因为我在会话中保留了权限的哈希集,而我的authorize属性会查看这些权限。无论是否应用了authorize属性,我都需要为每个请求执行此操作。
我读过的一些答案(下面引用一个)状态覆盖基本控制器中的OnActionExecuting。这是有道理的但是我发现在调用filter属性中的AuthorizeCore之后才会调用OnActionExecuting。
我到目前为止所采用的方法是检查基本控制器中的会话并检查授权属性的权限。
BaseController.cs:
protected override void OnAuthorization(AuthorizationContext filterContext)
{
// This base does two things:
// 1.) Ensures that Session exists
// 2.) Ensures that the Security object exists and is initalized.
HttpContextBase httpContext = filterContext.HttpContext;
// Check if session exists
if (httpContext.Session == null)
filterContext.Result = Redirect(core.SecurityConstants.SessionTimeoutRedirectURL);
else
{
if(!Security.IsInitialized())
filterContext.Result = Redirect(core.SecurityConstants.PermissionDeniedRedirectURL);
else if (httpContext.Session.IsNewSession) // check if a new session id was generated
{
// If it says it is a new session, but an existing cookie exists, then it must have timed out
string sessionCookie = httpContext.Request.Headers["Cookie"];
if ((null != sessionCookie) && (sessionCookie.IndexOf("ASP.NET_SessionId") >= 0))
{
if (httpContext.Request.IsAjaxRequest())
{
filterContext.HttpContext.Response.StatusCode = 401;
httpContext.Response.End();
}
filterContext.Result = Redirect(core.SecurityConstants.SessionTimeoutRedirectURL);
}
}
}
base.OnAuthorization(filterContext);
}
SecurityAttribute.cs:
public class SecurityAttribute : AuthorizeAttribute
{
public Permission Permission { get; set; }
public SecurityAttribute(Permission permission)
{
Permission = permission;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
base.AuthorizeCore(httpContext);
return Security.HasPermission(Permission);
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
base.HandleUnauthorizedRequest(filterContext);
//if (filterContext.RequestContext.HttpContext.User.Identity.IsAuthenticated)
//{
filterContext.RequestContext.HttpContext.Response.Redirect(SecurityConstants.PermissionDeniedRedirectURL);
//}
}
}
参考
When OnAuthorization method is called?
With ASP.NET MVC redirect to login page when session expires
答案 0 :(得分:1)
也许以下是适合您的,请将其添加到Global.asax
中protected void Application_AcquireRequestState()
{
if (Context.Session!=null && Context.Session.IsNewSession)
{
//do something
}
}