Vulnerability in EPiServer.Forms
We have a problem that has been raised before. That an expired page redirects the visitor to the login page of episerver:
Only the solution mentioned in the article (and some other articles I found) they all refer to web forms. Since our solution is cms 9 we need a solution for MVC. Anyway I don't seem to find any information about it.
Any help or tips appreciated,
I know we solved that in the http://www.episerver.se/partners/add-on-store/mogul-seo-manager/
What do you want to do? Custom 410 page? I can give you some sample code if you need...
I have taken a quick soltuion to this in the past using 7.5 and run a check in the PageControllerBase<T> to throw a 404 to the user if not in edit mode
protected override void OnAuthorization(AuthorizationContext filterContext)
throw new System.Web.HttpException(404, "Page Not Found");
I blogged about this a year ago: http://www.dcaric.com/blog/episerver-how-to-return-404-for-expired-pages
EPiServer will update default behavior so that 404 is returned instead of login page (will try to find a link to that announcement :) ).
Hope this helps!
And be very careful with 410.
It means that the client should not request the resource again in the future.
Here's an interesting blog post on that subject by Scott Hanselman: http://www.hanselman.com/blog/410GoneThoughtsOnMarkDiveintomarkPilgrimsAndWhysInfosuicides.aspx
This may be solved in the upcoming Episerver 10. See the first smaller breaking change here: http://world.episerver.com/blogs/Per-Bjurstrom/Archive/2016/6/planned-breaking-changes-2016/ Links to unpublished content will return 404 (instead of login screen).
@Dejan I agree. A general 410 approach is a bit too hardcore. 404 is better.
@David You can't just go around fixing all these quirks. Soon even designers can code a decent Episerver site ;)
Great news! I do love my 404s...
This is solved in Episerver 10.0.1
Big thanks for all input. We have finally solved it with a custom attribute. Seems to work fine. Only couldn't find any other way to pas the pagedata then through a viewbag set in the base controller. doesn't feel so neat. Anyway seems to do the trick
public class CustomAuthorizeContentAttribute : AuthorizeContentAttribute, IAuthorizationFilter
public void OnAuthorization(AuthorizationContext filterContext)
var controller = filterContext.Controller;
var pageData = controller.ViewBag.PageData as PageData;
// Is it an authenticated user? We do this redirect because otherwise epi
// redirects to epi login screen as default behaviour when a page is expired
if ((pageData == null) ||
((pageData.IsPendingPublish || pageData.StopPublish <= DateTime.Now) && !filterContext.HttpContext.User.Identity.IsAuthenticated))
filterContext.Result = new RedirectResult("/404/");