All ASP.NET MVC Forms Need To Include Html.AntiForgeryToken() For Security

Having recently been implementing many new form pages in ASP.NET MVC, I’ve found myself over and over again adding the following two things to every form. After Html.BeginForm() I Put @Html.AntiForgeryToken() Add the Attribute [ValidateAntiForgeryToken] To Every Post Action Method Before I was doing so much ASP.NET MVC, I would often see in Channel 9 videos, the presenter add the AntiForgeryToken() after the BeginForm() method on the cshtml razor page and say something like “you should always add this”.  I never saw them say “and don’t forget to add the attribute ValidateAntiForgeryToken to the controller POST method. Just to be clear, below is what I’m talking about: What this does is to make sure that the trusted … Continue Reading

Deeply Nested Null Checking in C# verses Assert with no nesting

One of the code smells that particularly bothers me (though I often find myself doing it anyhow) is when I defensively program against nulls in C# (though could be any other language).  That is, I do something like the following var rec = getRecord(..); if (rec != null) { var rec1 = getAnotherRecord(..); if (rec1 != null) { rec2 = getAThridRecord(..); if (rec2 != null)... The code gets ugly quick and the nesting does not help the readability, and if anything, hurts it. Today, while using a daily build of Resharper7, I noticed that when I asked resharper to do the null check for me, instead of doing the above, it did the following: var rec = getRecord(..); Debug.Assert(rec != null,"rec != … Continue Reading

Building an Sencha’s ExtJS 4.0 MVC Application With Microsoft’s ASP.NET MVC3 Series / Basics

Part 1 (this) Basics (mostly server side) Part 2 ExtJS Client Side Details   *For those who are intersted in this, I just posted a 3 part series on using ExtJS 4.2 with Microsoft's new WebAPI Restful Interface.  The new WebAPI is more efficient on the server side and the coding to REST makes the ExtJS side simpler. (March 13, 2013)    Part 1   Introduction If you have a problem like this involving ASP.NET or Sencha Tools, more information about our consulting services are here In this series of articles, we will take the reference application build by the Sencha product team for using Sencha’s MVC pattern running with an ASP.NET 4.0 project (IIS in production).  The first article takes the … Continue Reading

Need To Get Static JSON File with POST verb on IIS 7.5?

Normally, when we stick a JSON file up on an IIS web server, all we have to do to get to is is to set the Mime type.  One easy way to do it is to add to your web.config the following:   <system.webServer> <validation validateIntegratedModeConfiguration="false" /> <modules runAllManagedModulesForAllRequests="true" /> <staticContent> <mimeMap fileExtension=".json" mimeType="application/json" /> </staticContent> ...   This works great as long as the GET verb is used (or just enter the on the url like So, what if you "need” to use the POST keyword.  Say for example, you can not … Continue Reading


Get every new post delivered to your Inbox

Join other followers: