asp.net mvc - MVC5 Web Application Scaffold - Account/Logoff - Why use HTTP Post? -

-

i trying head around mvc 5 web application template, , noticed special attention given security around logoff link.

in scaffold template "logoff" link in _loginpartial.cshtml view sits inside html form antiforgerytoken in it, , defined js call form's submit action, so:

@if (request.isauthenticated) {     using (html.beginform("logoff", "account", formmethod.post, new { id = "logoutform", @class = "navbar-right" }))     {     @html.antiforgerytoken()      <ul class="nav navbar-nav navbar-right">         <li>             @html.actionlink("hello " + user.identity.getusername() + "!", "index", "manage", routevalues: null, htmlattributes: new { title = "manage" })         </li>         <li><a href="javascript:document.getelementbyid('logoutform').submit()">log off</a></li>     </ul>     } }

with corresponding action method account/logoff inside actioncontroller defined so:

        [httppost]         [validateantiforgerytoken]         public actionresult logoff()         {             authenticationmanager.signout();             return redirecttoaction("index", "home");         }

my question - reasoning behind it? why logoff action require security protection? why not have in view,

@html.actionlink("hello " + user.identity.getusername() + "!", "index", "manage", routevalues: null, htmlattributes: new { title = "manage" }) @html.actionlink("log off", "logoff", "account", routevalues: null, htmlattributes: new { title = "logoff" })

and in controller:

 public actionresult logoff()         {             authenticationmanager.signout();             return redirecttoaction("index", "home");         }

what security hole create?

thanks.

please refer link: logout: or post?.

it answer question on why post should used in logout.


Comments

Post a Comment

Popular posts from this blog

apache - setting document root in antoher partition on ubuntu -

-
i place apache document root inside partition of ubuntu hard drive, keep getting forbidden message, when place home directory woking find, how be? group or owner affected ? here mysite.conf , apache2.conf when place document root in home folder (working) #site-available/mysite.conf documentroot /home/jono/www #/etc/apache2/apache2.conf <directory /home/jono/www/> options indexes followsymlinks allowoverride none require granted </directory> bu when change document root partition keep getting forbidden messasge #site-available/mysite.conf documentroot /media/jono/website_data/www #/etc/apache2/apache2.conf <directory /media/jono/website_data/www/> options indexes followsymlinks allowoverride none require granted </directory> is owner/group access affected ? or there problem ? at last it's working, have grant access www:data accesing whole directory @mark-b, using chown -r www-data:www-data whole directory is...
Read more

cytoscape.js - How to add nodes to Dagre layout with Cytoscape -

-
i trying add nodes dagre graph through cityscape.js. problem nodes not painted. code have: cy.add({ group: "nodes", data: { id:"n0",name:"n0",weight: 75 }, }); $.ajax(url).done(function(jsontree){ var newnodes=[]; for(var i=1;i<6;i++){ //var child = jsontree.result[i]; newnodes.push( { group: "nodes", data: { id: "n"+i, name:"n"+i}}, { group: "edges", data: { id: "e"+i, source: "n0", target: "n"+i } } ); } cy.add(newnodes); any ideas? have used loaded function reload graph not work. not know if have use specific function reload graph. thank in advance. you need add positions new nodes. cytoscape.js docs : it important note positions of newly added nodes must defined when calling cy.add(). nodes can not placed in graph without valid position — otherwise not displayed. yo...
Read more

r - Quantstrat logical error while running applySignals - missing value where TRUE/FALSE needed -

-
i having error while running strategy back-testing in r, using quantstrat package. whenever, try use applysignals function test signals, shows logical error. tried remove nas na.omit(fb) command, when calculate simple moving average, have nas in beginning. can suggest me solution? thanks, require(performanceanalytics) require(quantstrat) require(quantmod) require(blotter) initdate="2015-01-01" from="2015-01-02" to="2015-06-30" options(width=100) currency('usd') sys.setenv(tz="utc") symbols = c("spy", "fb", "twtr") getsymbols(symbols, from=from, to=to, src="yahoo", adjust=true) stock(symbols, currency="usd", multiplier=1) suppresswarnings(rm("account.mac","portfolio.mac",pos=.blotter)) suppresswarnings(rm("order_book.mac",pos=.strategy)) tradesize <- 1000 initeq <- tradesize strategy.st <- portfolio.st <- account.st <- "m...
Read more