0

I have the following action method with a cache on server setting:

[CheckUserPermissions(Action = "", Model = "Admin")]
[OutputCache(CacheProfile = "short", Location = OutputCacheLocation.Server, VaryByHeader = "X-Requested-With")]
public ActionResult SystemInfo(int page = 1,bool forTechAudit=false)
{

And the CheckUserPermision action filter will return unauthorized message to the users who do not have the required permissions as follows:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public class CheckUserPermissionsAttribute : ActionFilterAttribute
    {
//code goes here
// IF user is not authorized then ….
var viewResult = new ViewResult();
viewResult.ViewName = "~/Views/Errors/_Unauthorized.cshtml";
filterContext.Result = viewResult; }}

base.OnActionExecuting(filterContext);}}}

Now if a user access the SystemInfo action method and he is not authorized he will get /_Unauthorized.cshtml view, but if another user who is authorized and calls the SystemInfo action method he will get the */_Unauthorized.cshtml* view also.

Also if an authorized user access the SystemInfo first, then a unauthorized user will be able to see call the action method and see the cached result? and even the current login username will be cached and the users will see others username on their sessions.

Can anyone advice how I can overcome this issue? Currently I changed the cache location to be on the client instead of server which temporary solve the issue, but I need to cache the action method on the server. I am thinking of passing the loginusername to my action method - any suggestions?

Thanks

John John
  • 1
  • 72
  • 238
  • 501

1 Answers1

0

See the following questions:

I read through these questions, and it seems the OutputCacheAttribute works well with the AuthorizeAttribute. So maybe you should check how the AuthorizeAttribute handles the caching, and implement that in your actionfilter.

Personally I liked this approach: https://meta.stackexchange.com/questions/60403/how-does-stack-overflow-do-caching/60406#60406

Edit: view the source of the AuthorizeAttribute here, and take a look the OnAuthorization function. Maybe it helps.

Community
  • 1
  • 1
Marthijn
  • 3,292
  • 2
  • 31
  • 48
  • but your last link mentioned that stack overflow does not use cache for login users!! – John John Jan 02 '14 at 17:08
  • and as a temporary solution, if i chnage all the cache location to be on the client instead of being on the server , will this remove the risk of having unauthorized users accessing sensitive cached data? – John John Jan 02 '14 at 17:21
  • Yes I know the data is not cached for authenticated users. But for a site like StackOverflow that's even better because the users see the newest data. It depends on the purpose of your website. It indeed does not fix your problem, but I thought it was an interesting approach to caching. As for the client site, you probably have problem when a user uses your application on a public computer, logs off, and the authenticated data is still cached. You should test it. – Marthijn Jan 02 '14 at 17:29
  • but if the data is cached on the client and the user logoff, then other users who use the public computer should not be able to see the cached data unless they login to the system,, i think this should be the case.. – John John Jan 02 '14 at 23:41