Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
137 views
in Technique[技术] by (71.8m points)

c# - Custom Authorization filter in ASP.NET MVC 5?

In ASP.NET MVC 5 we can use [Authorize] attribute to check authorization and limit access to some actionspages. I wonder how can I modify this attribute - authorization should be checked after some period of time? For instance, let unauthorized user to see the page during 10 minutes and then block access.

Updated : it is seems that my question wasn't clear so I bolded the problem. I need to count time each unauthorized user spent on the site and then block him after N minutes.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You may implement a custom authorization for allowing anonymous browsing during a limited amount of time like this:

public class AuthorizeWithAnonymousTimeoutAttribute : AuthorizeAttribute
{
    public int? AnonymousMinutesTimeout { get; set; }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        // Let default handling occurs
        base.OnAuthorization(filterContext);

        // If result is set, authorization has already been denied,
        // nothing more to do.
        if (filterContext.Result as HttpUnauthorizedResult != null)
            return;

        var isAnonAllowed = filterContext.ActionDescriptor.IsDefined(
                typeof(AllowAnonymousAttribute), true) || 
            filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(
                typeof(AllowAnonymousAttribute), true);
        if (isAnonAllowed && AnonymousMinutesTimeout.HasValue &&
            // Not authorized
            !AuthorizeCore(filterContext.HttpContext))
        {
            const string visitStartCookieName = "visitStartCookie";
            const string visitStartDateFormat = "yyyyMMddhhmmss";
            var visitStartCookie = filterContext.HttpContext.Request
                .Cookies[visitStartCookieName];
            var now = DateTime.UtcNow;
            DateTime visitStartDate;
            var visitStartCookieValid = visitStartCookie != null &&
                DateTime.TryParseExact(visitStartCookie.Value,
                    visitStartDateFormat, null, DateTimeStyles.AssumeUniversal,
                    out visitStartDate);
            if (!visitStartCookieValid)
            {
                visitStartDate = now;
                filterContext.HttpContext.Response.Cookies.Add(
                    // Session cookie. (Need to set an expiry date if
                    // a "permanent" cookie is wished instead.)
                    new HttpCookie
                    {
                        Name = "visitStartCookie",
                        Value = now.ToString(visitStartDateFormat)
                    });
            }
            if (visitStartDate.AddMinutes(AnonymousMinutesTimeout.Value) < now)
            {
                // Anonymous visit timed out
                HandleUnauthorizedRequest(filterContext);
                return;
            }
        }
    }
}

Then, use it as a global filter if it suits you, like this:

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(
        new AuthorizeWithAnonymousTimeoutAttribute
        {
            // By example, 10 minutes
            AnonymousMinutesTimeout = 10
        });
    // Your other filters
    ...
}

And do not forget to decorate your controllers or actions with AllowAnonymousAttribute:

[AllowAnonymous]
public class YourController
{
}

Or

public class YourController
{
    [AllowAnonymous]
    public ActionResult YourAction()
    {
    }
}

You may also put your custom authorize attribute directly on controllers or actions if defining it globally does not suit you:

// By example, 10 minutes anonymous browsing allowed.
[AuthorizeWithAnonymousTimeout(AnonymousMinutesTimeout = 10)]
public class YourController
{
}

Please note this implementation does not secure the anonymous timeout. A hacker may overcome it and browse anonymously as long as he wishes. Browser tools allow for cookie deletion, so it is easy to start with a fresh timeout.
My example also just set a session cookie, which will be gone by closing/re-opening the browser. Of course using another browser or device will allow for another 10 minutes of usage.

Securing an anonymous timeout is quite hard, since your user is anonymous. You may try to identify your anonymous users from their technical characteristics and then track their timeouts server side.
But you will probably run into many issues: corporate users browsing with the same IP address, or switching between different IP because they do not have a single Internet connection, ...


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...