Security in MVC4 partial postback
Question
I have a MVC4 application that we would like to use in another platform. Our current security includes some custom data in the header on the http request and I was curious what other people did to solve security issues with partial post backs. I really like the flexibility that some of that (partial postbacks that is) solves but was concerned that basically your whole header construction is right there in viewable javascript.
1 answers
solution1
1 2013-06-03 15:32:04
I really like the flexibility that some of that (partial postbacks that is) solves but was concerned that basically your whole header construction is right there in viewable javascript.
Not necessarily. You could keep the construction of this header on the server and then only use it in javascript:
<script type="text/javascript">
var securityHeader = @Html.Raw(Json.Encode(Html.GenerateSecurityHeader()));
</script>
and then use this securityHeader variable. Obviously the value is right there in the HTML, but that's not less secure than what you currently have (the value is part of an HTTP header in the request that anyone could freely see). It just keeps the actual generation of the header on the server.
All this being said, why reinvent the wheel when this is already built into the framework thanks to Forms Authentication (or if you want more flexibility thanks to Claims Based Authentication)?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.