Should the AntiForgeryToken be applied to every post action in an ASP.NET MVC application? Off the top of my head I can't think of any reason why you would not want to include this on every post action, but it seems that nobody ever actually recommends using it on all of your actions.
I'd love to hear your thoughts.
I always use it on POST/DELETE/PUT actions. I want to be as sure as I can that the request is coming from a page that my server sent to the browser when I'm changing data as a result.
Not adding an anti-forgery token to a form would require being completely sure there is no possibility of a cross site forgery (or other) attack. And that such attach will not be found in the future for that case.
On the other hand is there ever a significant disadvantage to having a token?
It seems to be that not doing it always will be more (mental) effort in finding those "no risk" cases.
Related
I was told that there is no need to put the ValidateAntiForgery mechanism on our razor form because it's not behind authentication and is totally open to the public.
I thought I read somewhere that it should be used on all POSTs.
Which is correct?
There are a number of articles which can tell you when and where it is most appropriate to use the AntiForgeryToken. Here's a few:
http://www.devcurry.com/2013/01/what-is-antiforgerytoken-and-why-do-i.html
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
http://peterkellner.net/2014/05/19/asp-net-mvc-forms-need-include-html-antiforgerytoken-security/
The last one is explicit, the author recommends that you should use the feature for all forms. It will be generally beneficial to your entire website, provided that you care about the identity of your users.
If your users have no session, and there is nothing to be gained from hijacking their ASP.NET cookie, then the anti forgery token is not particularly useful.
First of all it's important to note that in my application if you log out your session is still valid and you don't just get redirected back to a login page, but stay on the same page.
With that said - whichever of these two ways I use to sign out in an MVC application
FormsAuthentication.SignOut()
WebSecurity.Logout()
the effect is the same and neither of the following properties changes to reflect the logout if I immediately access them :
User.Identity.Name
Thread.CurrentPrincipal.Identity
Now - If I do a Redirect, or just reload the page then obviously these properties are updated to a null user. They just don't immediately meaning that User.Identity.Name represents a user that just logged out.
This is a problem because I want to generate text of the form You are logged in as XXX after login/logout - and this may be in an AJAX situation where a redirect isn't possible.
I'm curious if there's any way to trigger the IPrincipal to reset itself after a logout (or login).
I assume people normally just Redirect() after a Logout() call so this is never an issue, but in an AJAX situation this is not always practical.
My current solution is to abstract the Identity in my own wrapper, and so once I'm logged out I can just update that. I'm just a little concerned that this could have some obscure side effects especially if somebody accesses IPrincipal directly adn not through the wrapper.
This is a core limitation of the ASP.NET event pipeline as it relates to forms authentication. This also makes it vulnerable to replay attacks, as described in KB article 900111. In that article, they reference one solution to use a membership provider that stores some server-side information about the logged on user.
Membership provider seems very similar to the approach you are thinking of taking, and I wonder if you should consider using one of the built-in membership providers, or writing your custom code as a membership provider. This should address some of the concern about people not understanding the approach and calling the IPrincipal directly.
Your "logout but stay on the same page" brings the issue a little more to the fore, but ultimately you're just uncovering the same fundamental replay issue that everyone has with ASP.NET (but not everyone solves it).
This related question may also be helpful.
Quite some time i`ve learnt MVC. I have seen various techniques to post data :ajax post and form post.
Is there any other?
I`m quite confused about which technique to use and when?
Can anyone help me on this part?
Well, all ways you described above are serving to send the data from your html form to the server for processing.
You were right, you may send this data via form post or ajax post.
The difference is simple.
When you are doing form post, your browser is collecting all parameters from your form and sending it to the server.
While the browser waits for the response, it hangs any activity for the page. After that, the page is blinking and reloading its content.
All that period of time, the consumer of your site feels that he should sit and wait for some time until the window blink and reload its content.
Ajax post does the same as the form post. It collects the data from the page and then sends it to the server.
The main difference, this way does not hangs your browser window.
In this way your application works like windows application. Things are opening, closing, the data is changing, etc.
This way requires of using some script language like javascript or vbscript.
At present moment there is a lot of javascript libraries that helps you. For example, you may use jquery library
So, since there is no difference, its up to you which way to use.
I would recommend to always use firstly form post, because it does not requires any client scripting and its easier to implement.
When you be sure that your application is working in the way you want,you may add some good looking things like ajax posts, so your application will look more friendly to the consumer
A form does an HTTP Post request back to the server. I'd suggest to use 'Post, Redirect, Get' Pattern. Take a look at this article: http://www.eworldui.net/blog/post/2008/05/ASPNET-MVC---Using-Post2c-Redirect2c-Get-Pattern.aspx
The PRG pattern sounds nice but I really dislike having to put the received values in TEMPDATA.
I am playing with learning ASP.NET MVC as a non-web developer. I am trying to find the best idiom to use for an app that has a concept of selecting a 'project' to work on the first page that affects all other pages.
There seems to be three choices:
Just put the information into the session state. Works fine, but isn't very MVC-ish
Embed the state into all URLs ... so instead of /Products/Details/1 the URLs are all /(project_id)/Products/Details/1
Setting a separate cookie for this information
Since nearly all the URLs in the application would require the current project this seems overkill, and makes constructing the URLs used in any of the views that much more work. It would also require that I validate the permissions on each call since the user could easily modify it.
Any suggestions on the best approach -- is using the session such a bad idea?!
Option 2 out of yours is my choice.
So instead of /Products/1/Details
I would make it Project/1/Products/1/Details
Its just more in line with REST. Its virtually irrelevant to MVC, but if you want your Routes and URLs to read like resources in REST, you'll want the url to collapse at the slashes and carry the state. Other ways are to mark a project id in cookie, but that kills linking, so that as someone leaves and comes back they get put back there.
Session also makes it hard to test if you bind yourself directly to that concept.
Personally, I would just use the session. There's nothing non-MVCish about the session really - think of it as just being part of your model.
Using a cookie is really no different than using the session. Embedding it in the URLs is not a bad option though, especially for "linkability" if that's a concern for your project. But it has the side effect of cluttering up URLs and requiring you to pass that ID around constantly from page to page.
Is there any way to tell if a visitor to a site is new, or just the same one over and over again, for the purpose of a hit counter?
Sessions don't really seem to exist in MVC, so I know I can't really use them...
Is there any way to tell if a visitor to a site is new, or just the same one over and over again, for the purpose of a hit counter?
There's not a 100% reliable way due to the stateless nature of the web but for the purposes of a counter, setting a cookie and checking whether it's there or not is adequate for the most cases.
Sessions don't really seem to exist in MVC, so I know I can't really use them...
This is not true. You can use Session in ASP.NET MVC too. Although, in general, you should avoid server-side state as much as possible when you don't need it to ease scalability.
You can use sessions in ASP.NET MVC, but as Mehrdad points out, storing this kind of information on the server is not the way to go about it--use JavaScript cookies instead. And let your clients do the "heavy lifting".
Quircksmode has a great article on using JavaScript cookies.