tags:

views:

94

answers:

1
+4  Q: 

New to ASP.NET MVC - Will I have to relearn security?

Hi,

I'm planning work on a new project and am now tempted to use ASP.NET MVC. My project plans to use JQuery and AJAX (although non-JS clients will also be supported). Coming from a standard ASP.NET background, I'm still trying to get my head around the MVC paradigm (with great help from Scott Guthrie). However, my main concern with using MVC is the security aspects. I've done quite a bit of security with ASP.NET and I know how to handle various attack vectors. Will I need to re-learn security with ASP.NET MVC? Are there new threats, or even new ways of handling old threats, that I will have to read up on? I've ordered a couple of ASP.NET MVC books (which have chapters on security), but I would like to know of anyone else's experience of this.

Thanks

+2  A: 

Depends on what you mean by security.

Authorization is basically the same, if not easier. Forms Authentication is supported and encouraged and you need only stick an [Authorize] attribute on controllers or controller actions. Not too much to learn there.

ViewState is gone, so you don't need to worry about ViewState validation or any of that kludge.

If you're referring to XSS, I would say that it's about the same; you need to escape your data on the output and it's very easy to do:

<%= Html.Encode(Model.SomeString) %>

The only thing I can think of that you might find a bit different is handling CSRF/XSRF. Fortunately, most of this is already built in to the framework.

So on the whole I'd say no, the learning curve for security in ASP.NET MVC should not be nearly as steep as the learning curve for the architecture itself.

Aaronaught  2010-02-07 18:50:44
Thanks, this makes it that much easier to get over the learning curve. On a side note, if I use `UpdateModel()`, does it automatically HTMLEncode my data? I understand I have to do it manually when passing model objects, but not quite sure what to do when using UpdateModel. Thanks again.
keyboardP  2010-02-07 21:15:21
@TenaciousImpy: You only need to worry about encoding/escaping on the way out, when the data you are presenting may have come from an untrusted source. With few exceptions, it's not really necessary to sanitize what's coming in (I assume you parameterize your SQL queries and all that). But to answer your exact question, no, `UpdateModel` does not HTML Encode your data, because then you would have encoded it twice by the time it gets displayed and your site visitors would see weird escaped `>`s in the middle of words.
Aaronaught  2010-02-07 21:40:46
With ASP.NET MVC 2, `<%: Model.SomeString %>` auto encodes text for you. Note the `:` instead of `=`.
Baddie  2010-02-07 22:14:07
Yup, using parameterized queries. Thanks for the help!
keyboardP  2010-02-07 22:16:33

related questions

What is the best architecture to bridge to XMPP?
How to expose a collection property?
How do you build a ratings implementation?
Alternative "architectural" approaches to javaScript client code?
Split data access class into reader and writer or combine them?
Guide to choosing between REST vs SOAP services?
Best architecture for handling file system changes?
Globalization architecture
How Did You Decide Between WISA and LAMP?
Best Blogs for Software Architecture
Experience documentation about Shared Nothing Architecture
Agile architectures
VS.NET Application Diagrams
Documenting program architecture
Books for software architect
How do you do system integration?
Design debate: what are good ways to store and manipulate versioned objects?
Passing more parameters in C function pointers
Send messages to program through command line
Interfaces on different logic layers
How to structure a java application, in other words: where do I put my classes?
Are there any negative reasons to use an N-Tier solution?
Linux - files and scripts that execute on boot
Good STL-like library for C.
Best way to allow plugins for a PHP application