asp.net mvc - MVC5 Web Application Scaffold - Account/Logoff - Why use HTTP Post? -

-

i trying head around mvc 5 web application template, , noticed special attention given security around logoff link.

in scaffold template "logoff" link in _loginpartial.cshtml view sits inside html form antiforgerytoken in it, , defined js call form's submit action, so:

@if (request.isauthenticated) {     using (html.beginform("logoff", "account", formmethod.post, new { id = "logoutform", @class = "navbar-right" }))     {     @html.antiforgerytoken()      <ul class="nav navbar-nav navbar-right">         <li>             @html.actionlink("hello " + user.identity.getusername() + "!", "index", "manage", routevalues: null, htmlattributes: new { title = "manage" })         </li>         <li><a href="javascript:document.getelementbyid('logoutform').submit()">log off</a></li>     </ul>     } }

with corresponding action method account/logoff inside actioncontroller defined so:

        [httppost]         [validateantiforgerytoken]         public actionresult logoff()         {             authenticationmanager.signout();             return redirecttoaction("index", "home");         }

my question - reasoning behind it? why logoff action require security protection? why not have in view,

@html.actionlink("hello " + user.identity.getusername() + "!", "index", "manage", routevalues: null, htmlattributes: new { title = "manage" }) @html.actionlink("log off", "logoff", "account", routevalues: null, htmlattributes: new { title = "logoff" })

and in controller:

 public actionresult logoff()         {             authenticationmanager.signout();             return redirecttoaction("index", "home");         }

what security hole create?

thanks.

please refer link: logout: or post?.

it answer question on why post should used in logout.


Comments

Post a Comment

Popular posts from this blog

python - pip install -U PySide error -

-
does know how avoid following error when running pip install -u pyside per official website instructions here: https://pypi.python.org/pypi/pyside/#installing-pyside-on-a-mac-os-x-system note have done brew install qt successfully. you using pip version 7.0.3, version 7.1.2 available. should consider upgrading via 'pip install --upgrade pip' command. collecting pyside using cached pyside-1.2.4.tar.gz installing collected packages: pyside running setup.py install pyside complete output command /applications/anaconda/bin/python -c "import setuptools, tokenize;__file__='/private/var/folders/dy/ttgqhqqx3g9bsbsnqnxsk2z80000gq/t/pip-build-cpxemt/pyside/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /var/folders/dy/ttgqhqqx3g9bsbsnqnxsk2z80000gq/t/pip-0r7hri-record/install-record.txt --single-version-externally-managed --compile: ...
Read more

arrays - C++ error: a brace-enclosed initializer is not allowed here before ‘{’ token -

-
simple question: i'm trying initialize array within c++ class declaration: using namespace std; #include <string> class myclass{ public: string myarray[] = {"a","b","c"}; }; and i'm getting error: error: brace-enclosed initializer not allowed here before ‘{’ token no, without complied c++11 compiler, cannot initialize member array in declaration. have initialize array member in constructor. , don't use open array if know number of elements initialize array.
Read more

cytoscape.js - How to add nodes to Dagre layout with Cytoscape -

-
i trying add nodes dagre graph through cityscape.js. problem nodes not painted. code have: cy.add({ group: "nodes", data: { id:"n0",name:"n0",weight: 75 }, }); $.ajax(url).done(function(jsontree){ var newnodes=[]; for(var i=1;i<6;i++){ //var child = jsontree.result[i]; newnodes.push( { group: "nodes", data: { id: "n"+i, name:"n"+i}}, { group: "edges", data: { id: "e"+i, source: "n0", target: "n"+i } } ); } cy.add(newnodes); any ideas? have used loaded function reload graph not work. not know if have use specific function reload graph. thank in advance. you need add positions new nodes. cytoscape.js docs : it important note positions of newly added nodes must defined when calling cy.add(). nodes can not placed in graph without valid position — otherwise not displayed. yo...
Read more