MVC: How Do I Link An Input Button To A Different Action?

Question

I have this link in Home.cshtml (This has an ActionResult of public ActionResult Home())

<li class="home-links home-middleLast">@Html.ActionLink("Log out", "LogOut", "Home")</li>

It is suppose to link to this controller

// /LogOut
public ActionResult LogOut()
{
    FormsAuthentication.SignOut();
    TempData.Clear();
    Session.Abandon();
    getDB.Close();
    return RedirectToAction("Home");
}

I made this happen using this

[Route("~/log_out")]

and this

routes.MapMvcAttributeRoutes();

My concern is that someone could type in /log_out into the url and it would log out of the account. How can I make it so that people won't do that?

I want to make it so you have to click the link to log out instead of typing in /log_out into the url.

You can decorate the action with an AntiForgeryToken attribute, see [here](https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks) for details. That will require your logout button to be in a form however. — maccettura, Apr 05 '18 at 18:09
I don't see any foolproof way to accomplish this. Anyone can open the network tab in web inspector, get the URL, and replay it. — Dan Wilson, Apr 05 '18 at 18:09
@DanWilson Is there an if statement I can use to tell whether the button was clicked or not? — Bradley William Elko, Apr 05 '18 at 18:12
Sure, you can put the button in a form and set a hidden input flag when it is clicked and POSTed to `LogOut`. — Dan Wilson, Apr 05 '18 at 18:13
@maccettura Maybe I could use a post button and make a bool determining if the button was pressed. — Bradley William Elko, Apr 05 '18 at 18:14
@BradleyWilliamElko you don’t need a bool. Just lookup AntiForgeryToken. This allows the action to _only_ be hit by a button action. Which means no one can just hit the URL — maccettura, Apr 05 '18 at 18:15
@BradleyWilliamElko each one has its own token that is verified in the action attribute. Read the article I linked and try it out. — maccettura, Apr 05 '18 at 18:21
@maccettura Forms won't work form me. I tried using a form but it won't access the LogOut Controller. — Bradley William Elko, Apr 05 '18 at 18:34

score 0 · Answer 1 · answered Apr 05 '18 at 18:28

0

i think this is a dumb way.. but you can try this

<li class="home-links home-middleLast"><form action="@Url.Action("LogOut","Home")" method="post"><button type="submit">Log Out</button></form></li>

and add [HttpPost] above your action

//LogOut
[HttpPost]
public ActionResult LogOut()
{
    FormsAuthentication.SignOut();
    TempData.Clear();
    Session.Abandon();
    getDB.Close();
    return RedirectToAction("Home");
}

but... you must change Log Out button and style it so it looks like a link with css

answered Apr 05 '18 at 18:28

Anggra

1

It won't work for me. The problem is it won't access the LogOut Controller because it is in the Home Controller. – Bradley William Elko Apr 05 '18 at 18:34
hmm... its weird... i assume you have a LogOut method inside HomeController, because of that, i use @Url.Action("LogOut","Home") as a URL form action. – Anggra Apr 05 '18 at 18:38
The problem is the login controller is not routed in this answer. – Bradley William Elko Apr 05 '18 at 18:41

RickL · Answer 2 · 2018-04-05T20:31:52.573

This needs script:

@Html.ActionLink("Log out", "LogOut", "Home", null, new { @class= "logout-btn" })

<script>
    $(function () {
        $(".logout-btn").click(function (e) {
            e.preventDefault();
            var url = $(this).attr("href");
            $.ajax({
                url: url,
                success: function (data) {
                    if (data) {
                        // change to your location
                        window.location.href = "http://stackoverflow.com";
                    }
                }
            });
        });
    });
</script>

and the Action:

public ActionResult LogOut()
{
    if (Request.IsAjaxRequest())
    {
        FormsAuthentication.SignOut();
        TempData.Clear();
        Session.Abandon();
        getDB.Close();
        return Json(true, JsonRequestBehavior.AllowGet);
    }

    return Json("Invalid request", JsonRequestBehavior.AllowGet);
}

Isn't using jquery or javascript bad? I believe people could manipulate this code in a negative way. — Bradley William Elko, Apr 05 '18 at 21:13
That's a topic for another question, which you probably couldn't post here without javascript. — RickL, Apr 06 '18 at 01:33

Bradley William Elko · Accepted Answer · 2018-04-11T16:44:24.060

View

using (Html.BeginForm("LogOut", "Home", FormMethod.Post))
{
    <li class="home-links home-middleLast"><input type="submit" value="Log out"/></li>
}

Controller

[HttpPost]
[Route("")]
[Route("~/home")]
public ActionResult LogOut()
{
    FormsAuthentication.SignOut();
    TempData.Clear();
    Session.Abandon();
    getDB.Close();
    return RedirectToAction("Home");
}

I put the home route on the LogOut Controller as well is HttpPost. This will only hit when the button is pressed.

EDIT: I didn't use the previous answer I submitted. I actually used this https://stackoverflow.com/a/14194770/6804700

MVC: How Do I Link An Input Button To A Different Action?

3 Answers3