There's plenty of information on the inter-tube on the Cross Site Request Forgery Hack (CSRF, also known as XSRF and Confused Deputy - go on just Google those acronyms) so I'm only going to give a general overview of the exploit but know that it is a problem that has been around pretty much since the birth of of the internet, that browsers cannot prevent it (and have in the past aided it), and pretty much relies on a User's Trust / Stupidity.
Showing posts with label MVC. Show all posts
Showing posts with label MVC. Show all posts
Tuesday, 22 February 2011
Monday, 21 February 2011
Custom Validation via Action Filters
At the end of last week, I was tinkering with the Entity Framework 4.0 and MVC3; MVC which we’ve been using a long time here and we all know and love, Entity Framework which quite frankly feels unfinished unless you have the CTP5 patch so that one can write true code-first with POCO’s. Now I know it’s illegal to use CTP patches on production environments, but apparently this is the last CTP release before a full release first quarter this year, so we can begin prototyping with it at least. Anyway getting to the point, during my tinkering, I think I may have worked out a means of custom validating objects in the controller, setting ModelState, and creating errors well before a controller method is invoked, essentially creating a validation layer that at run time sits between a UI post and the controller. I'm sure I'm not the first who's done this, and this has been worked out and blogged a gazillion times before but I figure I'll have my say on the matter...
Subscribe to:
Posts (Atom)