ASP.NET MVC 1.0 Release Candidate Now Available
page 15 of 20
by Scott Guthrie
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 67400/ 146

AccountsController Unit Tests

The ASP.NET MVC Project Template included with the RC build now adds 25 pre-built unit tests that verify the behavior of the AccountsController class (which is a controller added to the project by default to handle login and account management scenarios).  This makes refactoring/updating AccountsController easier.  The AccountsController implementation has also been modified to more easily enable non-Membership Provider based credential systems to be integrated.

Cross Site Request Forgery (CSRF) Protection

Cross-site request forgery (CSRF) attacks (also referred to as XSRF attacks) cause users of a trusted browser agent to take unintended actions on a site.  These attacks rely on the fact that a user might still be logged in to another site.  A malicious Web site exploits this by creating a request to the original site (for example: by linking to a URL on the site using a <img src=””/> element on the hacker site). The request is made using the user’s browser and thus with the user’s authentication token and credentials. The attacker hopes that the user’s authentication or session cookie is still valid and if so, the attacker can sometimes take disruptive action.  You can learn more about this hacking technique here.

The ASP.NET MVC RC now includes some built-in CSRF protection helpers that can help mitigate CSRF attacks.  For example, you can now use the Html.AntiForgeryToken() helper to render a hidden input token within forms:

Figure 36

This helper issues a HTTP cookie and renders a hidden input element into our form.  Malicious web-sites will not be able to access both values.

We can then apply a new [ValidateAntiForgeryToken] attribute onto any action method we want to protect:

Figure 37

This will check for the existence of the appropriate tokens, and prevent our HTTP-POST action method from running if they don’t match (reducing the chance of a successful CSRF attack).

View Entire Article

User Comments

Title: Awesome article, great work!   
Name: George Loew
Date: 2009-03-25 12:20:05 AM
excellent article, scott! It is very useful and contain excellent information about ASP.NET MVC framework. I have had a chance to try this ASP.NET MVC technology with my current host ( and everything works beautifully.

I am rating 5 stars for this article and I am looking forward to your next articles.
Title: Cache Photo   
Name: Meysam
Date: 2009-03-05 2:14:50 AM
Is it possible to send cache status (304) in response to subsequent requests for a photo?

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2024  |  Page Processed at 2024-05-25 11:48:33 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search