Security

Facebook Twitter

Custom Membership Provider. Часть 2 « shiftnotes. На прошлом уроке было создано стандартное asp.net mvc 2 веб-приложение, содержащее базовый функционал, и кастомный membership provider, в котором есть пустые методы из стандартного провайдера, для реализации собственной логики.

Custom Membership Provider. Часть 2 « shiftnotes

В этой части урока будет освещен процесс создания базы данных с таблицей для пользователей, а также реализация всех методов нашего провайдера, даже если они будут возвращать предустановленные значения. Будет добавлена система проверки email, которая генерирует специальную ссылку для активации аккаунта или сброса пароля. После всего этого мы сделаем кастомный RoleProvider и секцию приложения для администрирования. Теперь вернемся к уроку. Для начала, нам нужна база данных, которая будет хранить всю membership информацию. Securing your ASP.NET MVC 3 Application - Ricka on MVC and related Web Technologies. Executive Overview You cannot use routing or web.config files to secure your MVC application.

Securing your ASP.NET MVC 3 Application - Ricka on MVC and related Web Technologies

The only supported way to secure your MVC application is to apply the [Authorize] attribute to each controller and action method (except for the login/register methods). Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities. In ASP.NET MVC 2, it was recommended that you create a base controller with an [Authorize] attribute, and derive each controller (except the Account/Login controller) from that base class. That strategy has one big flaw: nothing prevents you from adding a new controller that doesn't derive from the [Authorize] protected base controller. Better, Faster, Easier SSL testing for ASP.NET MVC & WebForms - Ricka on MVC and related Web Technologies.

ScottHa has a great blog Working with SSL at Development Time is easier with IISExpress, but I’ve got what I think is a better approach.

Better, Faster, Easier SSL testing for ASP.NET MVC & WebForms - Ricka on MVC and related Web Technologies

Please weigh in. In this blog entry I’ll show you how to test SSL on your ASP.NET MVC & WebForms applications using IIS 7. You should make sure you have IIS 7 set up on your Windows 7 computer before proceeding. See my blog Test your ASP.NET MVC or WebForms Application on IIS 7 in 30 seconds for instructions. Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper. Update: Since the Release Candidate of ASP.NET MVC, these anti-forgery helpers have been promoted to be included in the core ASP.NET MVC package (and not in the Futures assembly).

Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper

Cross-site scripting (XSS) is widely regarded as the number one security issue on the web. But since XSS gets all the limelight, few developers pay much attention to another form of attack that’s equally destructive and potentially far easier to exploit. Securing ASP.NET MVC.