Understanding Routing

One of the important feature of ASP.NET MVC is Routing. The Routing infrastructure helps us to map the incoming requests to controllers and actions. The routing module ships with a separate assembly System.Web.Routing and that helps us to use the routing infrastructure outside ASP.NET MVC applications, like in Webforms.

In this article we are going to see about the important details of routing infrastructure. First we start from basics and slowly move to the advanced concepts and at-last we see how we can simplify creating routes by using our own extension methods. For people who are already familiar with the basic things they can jump to the last section where we discuss about creating cool extension methods and that's fun.

Continue Reading

Creating non-variable querystrings using action link helpers

This post is more kind of tip. The action link html helpers really simplifies our job in generating hyperlinks. These html helpers are integrated with the routing infrastructure and that helps to generate links very smartly. There are lot of overloaded versions available but most of them takes the route values as an anonymous object.

Suppose we need to generate an URL like below,

The querystring names contains a "." operator and when you use an anonymous object to pass these values as new { = 12.12, pos.lon = 23.5 } you will run into an exception. How we generate urls like them using built-in action-link helpers is the rest of this post.

Continue Reading

CSRF and AntiForgeryToken

Cross Site Request Forgery also known as CSRF (XSRF) is a widely exploited website vulnerability. In a CSRF attack, a malicious site instructs a victim's browser to send a request to an honest site, as if request were part of the victim's interaction with the honest site, leveraging the victim's network connectivity and the browser's state, such as cookies, to disrupt the integrity of the victim's session with the honest site. One of the popular technique to prevent CSRF attack is by using security tokens (from here).

ASP.NET MVC suports prevention against CSRF through the AntiForgeryToken html helper and ValidateAntiForgeryToken filter. The AntiForgeryToken is supported only for the POST requests and not for GET and this makes sense because the GET operation has to used only for safe operations (as per HTTP spec.).

In some applications we need all the POST operations should be validated for the anti-forgery token and in those cases instead of decorating all the POST actions in the application with the ValidateAntiForgeryTokenAttribute we can create a custom authorization filter and apply it globally, that's what we are going to see in this article. We will also see how to create a html helper that renders form along with the hidden field that contains security token.

Continue Reading

How to create a custom session value provider

Value Providers are the components that feeds data to model binders. The framework contains a bunch of built-in value providers like FormValueProvider, RouteDataValueProvider, QueryStringValueProvider and HttpFileCollectionValueProvider that fetches data from Request.Form, Request.QueryString, Request.Files and RouteData.Values. These Value Providers are called in the order they are registered and so the one that registered earlier gets the first chance. We can easily restrict the model to bind with data from a particular Value Provider.

The interesting thing is we can even create own custom Value Provider to feed data to models. In this article we see how to create a value provider that feed data from session.

Continue Reading