Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Prevent Caching of Attributes in ASP.NET MVC, force Attribute Execution every time an Action is Executed

Tags:

attributes

asp.net-mvc

action-filter

According to various articles (e.g. here and here) attribute results on ASP.NET MVC Actions may be cached and not executed again when a controller action is called.

That behavior is not desired in my case (e.g. I have an authorization system based on my own attributes and IPs, role checks that need to execute every time, and other things).

How can I prevent ASP.NET MVC from caching my attributes/attribute execution results and guarantee that they are executed every time?

like image 208
Alex Avatar asked Oct 15 '22 13:10

Alex

2 Answers

Look at the source code for the AuthorizeAttribute (on Codeplex or via Reflector) to see how it goes about turning off caching for authorized pages. I refactored it into a separate method on my custom authorization attribute which derives from AuthorizeAttribute.

protected void CacheValidateHandler( HttpContext context, object data, ref HttpValidationStatus validationStatus )
{
    validationStatus = OnCacheAuthorization( new HttpContextWrapper( context ) );
}

protected void SetCachePolicy( AuthorizationContext filterContext )
{
    // ** IMPORTANT **
    // Since we're performing authorization at the action level, the authorization code runs
    // after the output caching module. In the worst case this could allow an authorized user
    // to cause the page to be cached, then an unauthorized user would later be served the
    // cached page. We work around this by telling proxies not to cache the sensitive page,
    // then we hook our custom authorization code into the caching mechanism so that we have
    // the final say on whether a page should be served from the cache.
    HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
    cachePolicy.SetProxyMaxAge( new TimeSpan( 0 ) );
    cachePolicy.AddValidationCallback( CacheValidateHandler, null /* data */);
}
like image 73
tvanfosson Avatar answered Oct 21 '22 02:10

tvanfosson

I just finished a spirited discussion with Craig Stuntz (the author of the first article you listed).

I ended up using an AuthorizeAttribute with AuthorizeCore to guarantee that authorization is called even in the event the page is cached.

like image 43
Peter J Avatar answered Oct 21 '22 02:10

Peter J
Sign in to Comment

Related questions

ASP.NET MVC Intellisense not finding ViewData
Using two strongly typed models for one MVC view
ASP.NET MVC jQueryUI datepicker not working when using AJAX.BeginForm
Is there an ASP MVC equivilent to JSTL tags?
Is Asp.Net MVC + CSLA + DDD Possible
ASP.NET MVC how to implement link which returns to previous page?
asp.net mvc - Route for string or int (i.e. /type/23 or /type/hats)
I need More information on HandleError
Updating Parent/Child Records with model binders in ASP.Net MVC
Multiple master pages in a single application
How to do Model Binding with Jquery Ajax
JSON return format in ASP.NET MVC
How to do Basecamp-style accounts in Asp.Net Mvc?
Remote Debugging on IIS - Access Denied Nightmare!
Caching not working right in my ASP.NET MVC website?
Mocking a DataServiceQuery<TElement>
Paging with PagedList, is it efficient?
ASP.NET MVC load Razor view from database
unit testing asp mvc view
How do you handle ajax requests when user is not authenticated?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!