2

在我的应用程序中,用户可以在他们之间转移积分。在我看来,我检查用户是否可以从他的帐户中转移积分,如果可以,我会渲染一些允许他这样做的东西。我不想在我的控制器中再次检查,所以我需要一些机制,这将允许我检查我为其呈现视图页面的用户是否与向我的控制器发送请求的用户相同。

所以基本上,我想检查我的控制器,如果当前登录的用户与发送请求的用户相同 - 为此,我认为我需要类似于 ViewBag 的东西,但不是从控制器到一个视图,但从视图到控制器。那可能吗?

4

1 回答 1

2

A proper way to do this will not be the transfer of such information between user requests. Every request shall be stateless but you trying to embed a state. This is a fair way to shoot yourself in a foot.

If your action requires authentication (you are who you say you are) you should do it using standard classic ASP net way. This will embed a standard authentication token to any further user requests. This way you will know that the user is authenticated or not.

For some actions that require authorisation (user has permissions to perform an action) you must validate that a user has the power to perform such action. This must be done for every request and it is usually a fast operation. No need to optimise things here by reducing your security barrier.

If you search for authentication and authorisation with classic asp, you will get a more fine grained answer on how to do the coding bit.


I wouldn't recommend, but you can still embed hidden information with

<input type="hidden" value="..."/>
于 2012-08-19T17:49:34.567 回答