I am reading a book about MVC2, and in the OutputCache section it states:
Warning In the earlier section “How Authorization Filters Interact
with Output Caching,” I explained that [Authorize] has special
behavior to ensure that unauthorized visitors can’t obtain sensitive
information just because it’s already cached. However, unless you
specifically prevent it, it’s still possible that cached output could
be delivered to a different authorized user than the one for whom it
was originally generated. One way to prevent that would be to
implement your access control for a particular content item as an
authorization filter (derived from AuthorizeAttribute) instead of
simply enforcing authorization logic inline in an action method,
because AuthorizeAttribute knows how to avoid being bypassed by output
caching. Test carefully to ensure that authorization and output
caching are interacting in the way you expect.
Is this still true in MVC3?
If affirmative, what is the way to prevent that of happening? (because the explanation in the book is too vague).
Regards.
I think it is.
When you are using OutPutCache to cache data, these data are cached globally. As long as a user is authorized, the user will get cached data.
Yes we have “VaryByParam” options for outputcache, but it also creates a new cache for every different parameter passed. which means it’s still globally.
So if you want to cache different data based on users, outputcache may not be the right way doing it. If data is user specific, session is the right choice. it’s what session lives for