The ASP.NET MVC Project Template included with the RC build
now adds 25 pre-built unit tests that verify the behavior of the AccountsController
class (which is a controller added to the project by default to handle login
and account management scenarios). This makes refactoring/updating
AccountsController easier. The AccountsController implementation has also
been modified to more easily enable non-Membership Provider based credential
systems to be integrated.
Cross Site Request Forgery (CSRF) Protection
Cross-site request forgery (CSRF) attacks (also referred to
as XSRF attacks) cause users of a trusted browser agent to take unintended
actions on a site. These attacks rely on the fact that a user might still
be logged in to another site. A malicious Web site exploits this by
creating a request to the original site (for example: by linking to a URL on
the site using a <img src=””/> element on the hacker site). The request
is made using the user’s browser and thus with the user’s authentication token
and credentials. The attacker hopes that the user’s authentication or session
cookie is still valid and if so, the attacker can sometimes take disruptive
action. You can learn more about this hacking technique here.
The ASP.NET MVC RC now includes some built-in CSRF
protection helpers that can help mitigate CSRF attacks. For example, you
can now use the Html.AntiForgeryToken() helper to render a hidden input token
within forms:
Figure 36
This helper issues a HTTP cookie and renders a
hidden input element into our form. Malicious web-sites will not be able
to access both values.
We can then apply a new
[ValidateAntiForgeryToken] attribute onto any action method we want to protect:
Figure 37
This will check for the existence of the
appropriate tokens, and prevent our HTTP-POST action method from running if
they don’t match (reducing the chance of a successful CSRF attack).