ASP.NET’s built in CSRF (Cross-site request forgery) is pretty straight forward. You add a token to your views via an HTML Helper, and then decorate your controller actions with a specific attribute to validate the token on POST. There are many times, seemingly randomly, where users have invalid tokens on their requests. MVC throws a 500 error with an HttpAntiForgeryException. For legitimate users, this is not an optimal experience.
Handling ASP.NET MVC HttpAntiForgeryExceptions
posted on August 5, 2016 by long2know in ASP.NET, MVC
Accessing OWIN Context within a filter attribute
posted on February 10, 2016 by long2know in ASP.NET, MVC, OWIN, Security, WebApi
With a new project we have, I was tasked with working on security. Initially, I used OWIN and cookie authentication to implement a simple login and all was good. However, we wanted to remove the ability to login and have it driven by an external site redirecting a user with a token.
WebAPI Authorization in Views and Unit Tests
posted on September 28, 2015 by long2know in ASP.NET, MVC, WebApi
In my .NET 4.5 MVC projects, I already have helper methods/extensions that let me determine if a user has access to a particular controller action. This provides a nice mechanism to hide and show buttons, hyperlinks, or other UI action elements based on the authorization attributes that have been defined on the MVC Controller.
However, this is a bit more complicated with ApiControllers.
T4MVC
posted on April 23, 2015 by long2know in ASP.NET, MVC, Web
I’ve used T4MVC within my MVC projects for a long, long time now. It’s one of those extremely useful utilities that probably gets forgotten.
At any rate, I’m not sure if I ever mentioned why I like T4MVC, but here are a few reasons.