ansaurus

Question

Answer 1

+5 A:

Use the [Authorize] filter to prevent anonymous users from accessing controllers or actions.

http://davidhayden.com/blog/dave/archive/2009/04/09/CustomAuthorizationASPNETMVCFrameworkAuthorizeAttribute.aspx

Richard Poole 2010-08-09 00:57:36

it is not worked i am use my own login system. when i test from many application he redirect to /account/login. and he not stop accepting second application request

steven spielberg 2010-08-09 02:59:29

Sorry, I misunderstood your question. DM's answer is spot on.

Richard Poole 2010-08-10 12:47:14

Answer 2

+6 A:

It sounds like you may be looking for some Cross-Site Request Forgery (CSRF) help. ASP.NET MVC has a pretty simple tool to help with that:

If you include: <%= Html.AntiForgeryToken() %> inside the form that is being submitted then you can mark your action method with the [ValidateAntiForgeryToken] attribute and have a pretty good handle on stopping CSRF attacks. Don't take my word for it, check out Steve Sanderson's [old] blog post about it and it should have all the background and information you'll need.

http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

DM 2010-08-09 01:32:03

it is not worked? i am run two both application on localhost and both make a same forgery key

steven spielberg 2010-08-09 02:57:17

@steven It uses the machine key, which would be the same in both cases.

bzlm 2010-08-09 11:40:28

DM, agreed... ;-)

jim 2010-08-09 16:26:37

Answer 3

A:

steven,

in addition to the suggestions above (which for the life of me, i can't understand why they work CS). anyway, additionally, you can examine the origin of the request inside the controller:

var origReq = HttpContext.Request.UrlReferrer;

or, examine the headers and determine your 'action' based on the contents:

var headers = HttpContext.Request.Headers;

[edit] - of course, 'headers' can be tampered with (depending on how determined someone was to x'post to your site), so you could probably only use these for informational purposes - it's not a 100% certainty...

you can then decide if this 'post' is allowed or not depending on whether it originated from your domain (or a domain that is approved) or not.

jim

jim 2010-08-09 08:14:12

grr - got me legs chopped off there for suggesting ADDITIONAL checks that could be made. i'll get me coat and keep my mouth shut in future :-)... good luck all... and some nice comments too by all, especially bzlm

jim 2010-08-09 11:49:15

I'll get you back to 0. Those recommendations don't warrant a down vote...

DM 2010-08-09 14:49:14

DM -you're a real gent, hope i didn't sound like i was begging :-). thanks, those '-1's never look good.... all the best again

jim 2010-08-09 16:23:16

Answer 4

+1 A:

Steven, I can recommend you to watch the video: The HaaHa Show: Microsoft ASP.NET MVC Security with Haack and Hanselman

After 24 minutes they discuss how to protect a MVC site with the Html.AntiForgery tag and show how you can implement this in a MVC website.

Kelderro 2010-08-09 08:26:11

ansaurus

tags:

views:

answers:

ASP.NET MVC application security

related questions