Managing sessions in asp.net mvc4 with razor engine

Question

I have an asp.net application mvc4. i have an authentification view : the user login as a normal user or an administrator.

[OutputCache(NoStore = true, Duration = 0)]
        public ActionResult Index()
        {
            if (Upload.Models.CompteModels.Connected)
            {
                Upload.Models.ClientModels model1 = new Models.ClientModels();
                List<ClientModels> client = model1.Client_List();

                Upload.Models.AkeoModels model2 = new Models.AkeoModels();
                List<AkeoModels> akeo = model2.Akeo_List();



                MemberModels m = new MemberModels();
                m.AkeoModels = model2.Akeo_List();
                m.ClientModels = model1.Client_List();

        return View(m);
     }
   else return RedirectToAction("Login", "Account");

 }

if i launch the application in a browser for example chrome and login to the admin account. Then i drag and drop the url of the admin page to another browser like opera it's works and displays the admin's page despite it's a new session.

Why this happens? how can i manage the sessions to avoid this problem?

Answer 1

My guess is that you have not locked down authorization for the admin's page. You need something that checks to determine if the current user is authenticated, in the correct role, etc. What are you using for authentication and authorization?

The Authorize attribute exists specifically for the purpose of locking down pages to authenticated users. Additionally, you can specify what roles to allow.

Answer 2

You are using the Upload.Models.CompteModels.Connected to determining if to redirect to the login page.

It appears that you are caching this value on the server, so regardless of who accesses the page, if the value is true, they will get the view.

I recommend you use the Authorize attribute to protect the page:

[Authorize]
public ActionResult Index()