All ASP.NET MVC Forms Need To Include Html.AntiForgeryToken() For Security


Having recently been implementing many new form pages in ASP.NET MVC, I’ve found myself over and over again adding the following two things to every form. After Html.BeginForm() I Put @Html.AntiForgeryToken() Add the Attribute [ValidateAntiForgeryToken] To Every Post Action Method Before I was doing so much ASP.NET MVC, I would often see in Channel 9 videos, the presenter add the AntiForgeryToken() after the BeginForm() method on the cshtml razor page and say something like “you should always add this”.  I never saw them say “and don’t forget to add the attribute ValidateAntiForgeryToken to the controller POST method. Just to be clear, below is what I’m talking about: What this does is to make sure that the trusted … Continue Reading

Not Using Session in ASP.NET means Session Affinity/Sticky Sessions Not Necessary in Web Farms!

So, I’ve always incorrectly thought that somehow, the cookie stored in was somehow tied to the Session provider in  Turns out I’m wrong.  This came up because I was discussing with another engineer whether we need to bother with a Session provider since we do not use Session in our web application.  That is, we don’t ever store information by saying something like: Session[“MyKey1”] = “MyShoppingCartInfo1”; My assumption was that somehow, the Cookie planted on the client’s browser was in lock step with the IIS server through Session and that even if we did not store Session data, we still had to hook up a Session Provider.  Wrong I am. … Continue Reading


Get every new post delivered to your Inbox

Join other followers: