[英]Securing ELMAH File
I am trying to allow the access to the elmah.axd file for only a perticular login and all others should be denied. 我试图仅允许垂直登录访问elmah.axd文件,而所有其他登录都应被拒绝。 I have followed Phil Haack's tutorial for securing the file.
我遵循了Phil Haack的教程来保护文件。
<httpHandlers>
<remove verb="*" path="*.asmx"/>
<add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>
<add verb="POST,GET,HEAD" path="admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<location path="admin">
<system.web>
<authorization>
<allow users="admin@testing.com"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
First I logged in as user@testing.com and tried to access the http://localhost:58961/admin/elmah.axd file and I am rightly being redirected to the Login.aspx page. 首先,我以user@testing.com的身份登录,并尝试访问http:// localhost:58961 / admin / elmah.axd文件,然后正确地将我重定向到Login.aspx页面。 Next I logged in as admin@testing.com and was able to access the elmah file at http://localhost:58961/admin/elmah.axd .
接下来,我以admin@testing.com的身份登录,并能够访问位于http:// localhost:58961 / admin / elmah.axd的elmah文件 。 Now I logged in again as user@testing.com and I was able to access the emlah file now.
现在,我以user@testing.com的身份再次登录,现在可以访问emlah文件。 What is the reason for this behavior?
这种行为的原因是什么?
It would appear that you still had a valid session key from your "admin@testing.com" account. 看来您的“ admin@testing.com”帐户中仍有有效的会话密钥。 This may have been from a browser window, or from how asp.net handles authentication.
这可能是从浏览器窗口或asp.net处理身份验证的方式。
sometime there can be a case where the asp.net authentication ticket is market as expired, however the cookie has not yet (because of sliding expiry) 有时可能会出现asp.net身份验证票证在市场上过期,但是cookie尚未过期的情况(由于到期日的滑动)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.