Category Archives: MVC

Q How can you prevent a cleint by using Action method in MVC?

I have two actions inside my controller (shoppingCartController)

public ActionResult Index()
{
	//some stuff here
	return View(viewModel);
}

public ActionResult AddToCart(int id)
{

	return RedirectToAction("Index");

}

Is there anyway to prevent the users from directly calling the index action by typing the url in the browser?
For example: If the user browses to shoppingCart/index be redirected to Home/Index.
Solution
You could use the [ChildActionOnly] attribute on your action method to make sure it’s not called directly, or use the ControllerContext.IsChildAction property inside your action to determine if you want to redirect.
For example:

//[ChildActionOnly]
public ActionResult Index()
{
    if(!ControllerContext.IsChildAction)
    {
       //perform redirect here
    }

    //some stuff here
    return View(viewModel);
}

Reference:
https://stackoverflow.com/questions/9407172/asp-net-mvc-how-to-prevent-browser-from-calling-an-action-method

 

Advertisements

Leave a comment

Filed under C#, Interview question, MVC, Uncategorized

Sessionless Controller

With Sessionless Controller you can easily control your session behavior for controllers.
Before going further better to understand Concurrent Requests in MVC & what are the limitation with the same. And how it is resolved with Sessionless Controller

Leave a comment

Filed under MVC

ASP.Net MVC 3 – New Features

1. New Razor View Engine
Razor view are speedy, smaller & lighter in size. They are easy to learn.
For more detail: Introduction RAZOR

2. Granular Request Validation

3. Sessionless Controller Support

http://weblogs.asp.net/imranbaloch/archive/2011/01/16/asp-net-mvc-3-new-features.aspx

Leave a comment

Filed under MVC

Granular Request Validation MVC 3

This is a new feature provided in MVC 3. We will discuss what is request validation & why it is great to make it granular
Request Validation is a feature of ASP.Net that analyzes the data that a browser send to server when a user interact with your site (such as form or query string data) and reject the request that contain suspicious input that looks like html code (basically anything with a ‘<‘). This protects you from HTML injection such as cross site scripting (XSS). It is enabled by default.
However in previous version it was an all-on-or-off feature, meaning that if you want to be able to accept HTML-formatted input from your users in just one field you had to completely turn this protection off. This in turn meant that you now had to validate every bit of data that came from the client.

AllowHtmlAttribute SkipRequestValidationAttribute
In MVC 3 we have introduced a new attribute called AllowHtmlAttribute. You can You can use this attribute to annotate your model properties to indicate that values corresponding to them should not be validated. Let’s take this User model and UserController as an example:

public class User {
    public int Id { get; set; }
    public string Name { get; set; }
    public string Email { get; set; }
    [AllowHtml]
    public string Description { get; set; }
    [AllowHtml]
    public string Bio { get; set; }
}
 
public class UserController {
    [HttpPost]
    public ActionResult Update(User user) {
        // update user database
    }
}

I have annotated the Description and Bio properties to indicate they should not be request-validated. Now when the Update action method gets invoked these two properties on the User object will not be validated and any HTML they might contain will be passed straight through to the action method. However, everything else will still go through request validation and requests that contain suspicious content in the Name or Email fields will get rejected.

ValidateInputAttribute
AllowHtmlAttribute can only be applied to properties of a model class. For other request validation scenarios the existing ValidateInputAttribute is still helpful. For example, you can use it to disable request validation for action methods that bind to a loose collection of parameters:

[ValidateInput(false)]
public ActionResult Update(int userId, string description)
{
           // Do something
}

Now when the parameters of the Update method get bound request validation will not be performed. You can apply ValidateInput to action methods as shown above or to the entire controller to affect all of its action methods.

ValidateInput is also more usable in MVC 3. In MVC 2 running on .NET 4 you had to set requestValidationMode=”2.0″ in order to turn request validation off. In MVC 3 this is no longer necessary.

Reference: Granular Request Validation in ASP.NET MVC 3

Leave a comment

Filed under MVC