asp.net mvc 4 - AntiForgery.Validate() vs ValidateAntiForgeryToken -


does method system.web.helpers.antiforgery.validate(); perform same function [validateantiforgerytoken] decoration?

i'm thinking of changing log out method too:

    [httppost]             public virtual actionresult logoff()             {         if (user.identity.name != "")         {             system.web.helpers.antiforgery.validate();             websecurity.logout();         }                     return redirecttoaction(mvc.account.login());     }

this prevent anti forgery exception being thrown when system has logged out due login expiring. want antiforgery.validate() perform same task validateantiforgerytoken.

i using additional exception handler catch exception. problem remained elmah still logged exception, , i'm getting many messages.

it seem both approaches validate antiforgerytoken present in form. have checked assemblies , validateantiforgerytokenattribute call antiforgery.validate method validation. both approaches throw httpvalidateantiforgeryexception when validation fails. short answer whether perform same task yes.

there subtle difference in fact validateantiforgerytokenattribute validates token earlier in mvc execution cycle-in onauthorization method. may make difference in performance if execute resource intensive task in controller action before doing antiforgerytoken.validate() check.

another thing note may creating work (not mention possible security holes left when omitting it) requiring each httppost action have following piece of code

if (user.identity.name != "") {     system.web.helpers.antiforgery.validate();     websecurity.logout(); }

by creating following attribute , decorating post methods have desired functionality , not required have above code in every post action

using system; using system.web.mvc;  [attributeusage( attributetargets.method | attributetargets.class , allowmultiple = false , inherited = true )] public class validateorsignoutantiforgerytokenattribute :      filterattribute ,      iauthorizationfilter {      public void onauthorization( authorizationcontext filtercontext )     {         if( filtercontext == null )         {             throw new argumentnullexception( "filtercontext" );         }          if( filtercontext.httpcontext.user != null &&             filtercontext.httpcontext.user.identity.name != "" )         {             try             {                 system.web.helpers.antiforgery.validate();             }             catch             {                 websecurity.logout();                 throw;             }         }     }  }

one last thing, exceptions normal in validation of antiforgery. because antiforgery.validate method throws httpvalidateantiforgeryexception when validation fails. see in code above have caught exception , re-thrown after completing logout.


Comments

Post a Comment

Popular posts from this blog

basic authentication with http post params android -

i doing basic authentication passing username , password , using basicnamevaluepair sending post params response service. my method: public stringbuilder callservicehttppost(string username, string password, string type) { // create new httpclient , post header httpclient httpclient = new defaulthttpclient(); httppost httppost = new httppost(webservice + type); httpresponse response = null; stringbuilder total = new stringbuilder(); try { url url = new url(webservice + type); /*string base64encodedcredentials = base64.encodetostring((username + ":" + password).getbytes(), base64.url_safe | base64.no_wrap);*/ string base64encodedcredentials = "basic " + base64.encodetostring( (username + ":" + password).getbytes(), base64.no_wrap); httppost.setheader("auth...
Read more

vb.net - Virtual Keyboard commands -

i wondering difference between virtual these keyboard commands is: keyeventf_extendedkey , keyeventf_keyup is. everywhere have looked gives me description based off integers , not want know each of them does. you've tagged question vb.net, these have nothing @ vb.net. they're constants defined in windows header files, use win32 api functions. as far difference, can't tell looking @ values. individual values not particularly important, that's why named identifiers used. what's important used , documentation functions tells mean. the first one, keyeventf_extendedkey , used keybdinput structure (which used along e.g. sendinput function) pass information synthesized keyboard input. if flag used, means scan code should interpreted extended key. technically, means scan code preceded prefix byte value 224 (&he0 in hexadecimal notation). the second one, keyeventf_keyup , 1 of flags available use structure. means key being released (going up)...
Read more

How to get multiresult with multicondition in Sql Server -

i need solve this. hopefully can giving me advices. for sample, i've got data : proclib.march 1 first 10 rows flight date depart orig dest miles boarded capacity ----------------------------------------------------------------- 114 01mar94 7:10 lga lax 2475 172 210 202 01mar94 10:43 lga ord 740 151 210 219 01mar94 9:31 lga lon 3442 198 250 622 01mar94 12:19 lga fra 3857 207 250 132 01mar94 15:35 lga yyz 366 115 178 271 01mar94 13:17 lga par 3635 138 250 302 01mar94 20:22 lga 229 105 180 114 02mar94 7:10 lga lax 2475 119 210 202 02mar94 10:43 lga ord 740 120 210 219 02mar94 9:31 lga lon 344...
Read more