Remove IsLocal #536
Comments
|
Yea, kill it IMO |
If we add it back as an extension method won't be in the same place? It seems like an OK thing to remove from |
|
Current recommendation is to remove it without adding an extension. |
|
Yup, no extension method. This was redundant anyway. |
|
Fixed via 1f21540 |
|
I found this method useful for authorising a user based on if it is a Local request or not. I am aware that this information (ip address) could be spoofed, but I was happy to accept that risk based on mitigating factors, mainly that this is only operational during the initial setup of the site (the first time you access the site after it is installed, it greets you with a setup wizard). Can you provide a replacement? Perhaps similar to what @Tratcher suggested? |
|
IsLocal is more dangerous than it once was because of the prevalence of local reverse proxies (e.g. Nginx, HttpPlatformHandler, AspNetCoreModule, etc.), most requests now appear to be local. How would your setup process work for a site deployed to a hoster like Azure Web Sites where there is no local access? Consider using a Staging Environment mode or real credentials based authentication. |
|
@Tratcher understood. If there is a chance of IsLocal no longer being accurate anymore then I don't wish to use anymore anyway. I'll have to re-think my setup process. :( |
|
So what I've seen working for some folks is
|
|
@blowdart haha thanks - I like that suggestion, Team City uses that concept too, it generates a system admin login token which it writes to a local log file. Cheers |
We keep getting questions like this: aspnet/Hosting#570 (comment)
Environments are the correct way to handle these scenarios most of the time.
We should remove IsLocal, and possibly replace it with an extension method that just returns RemoteIP.Equals(LocalIP).
@davidfowl @muratg @blowdart
The text was updated successfully, but these errors were encountered: