Session getting cleared with Authorize attribute?_问答_开发者

Session getting cleared with Authorize attribute?

开发者 https://www.devze.com 2023-04-09 00:18 出处：网络

I am trying to customize my Authorize attribute so that it redirects the user to appropriate page if he is not authorized.

This is my code till now:

 public class CustomAuthorizationAttribute : AuthorizeAttribute
    {
        public string ErrorMessage { get; set; }

        public string WebConfigKey { get; set; }

        private const string UnauthorizedAccessMessage = "UnauthorizedAccessMessage";


        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        {
            HttpContext.Current.Session["foo"] = "bar";

            base.HandleUnauthorizedRequest(filterContext);

            if (string.IsNullOrEmpty(WebConfigKey))
                throw new ArgumentNullException("WebConfigKey parameter is missing. WebConfigKey should give the actual page/url");

            string configValue = ConfigurationManager.AppSettings[WebConfigKey];

            if (string.IsNullOrEmpty(configValue))
                throw new Exception(WebConfigKey + "'s value is null or empty");

            if (!configValue.StartsWith("http"))
                HttpContext.Current.Response.Redirect(WebUIUtils.GetSiteUrl() + configValue);
            else
                HttpContext.Current.Response.Redirect(configValue);

            filterContext.Controller.TempData[UnauthorizedAccessMessage] = ErrorMessage;

            HttpContext.Current.Ses开发者_C百科sion[UnauthorizedAccessMessage] = ErrorMessage;

        }
    }

Problem is whatever I store in Session or TempData in this method gets lost when the user arrives in some action method in controller after redirect is done from this method. I checked Session.Keys/TempData.Keys etc. But all values are lost. Probably something is happening in base.HandleUnauthorizedRequest(filterContext);. But I guess that calling to base is important.

Can anybody tell me the exact reason of this behavior and how do I prevent it from happening?

Form authorization and Session are distinct concepts for IIS. You can be authorized but your session can be not valid (for example try to restart the application pool).

Try with this custom attribute:

public class CustomAuthorizationAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);
        if (filterContext.Result == null)
        {

            if (filterContext.HttpContext.Session != null )
            {
                //add checks for your configuration
                //add session data

                // if you have a url you can use RedirectResult
                // in this example I use RedirectToRouteResult

                RouteValueDictionary rd = new RouteValueDictionary();
                rd.Add("controller", "Account");
                rd.Add("action", "LogOn");
                filterContext.Result = new RedirectToRouteResult("Default", rd);
            }
        }
    }
}