Are pages generated by ASP.NET MVC 4 Beta templates safe against Cross-Site Request Forgery?
Specifically, are the "Edit" view and controller action generated by the "Controller with read/write actions and views, using EntityFramework" protected against CSRF?
Examining the HTML code generated by the Edit form, I can't see a hidden field or another way to implement an anti-forgery token.
Am I missing something or is the default example unsafe?
You need to explicitly implement the anti forgery token.
In the view:
@using (Html.BeginForm(...
{
@Html.AntiForgeryToken()
...
}
In the controller
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult MyAction(MyViewModel model)
{
...
You can always create custom T4 templates to generate this for you, but no, the out-of-the-box templates do not do this by default.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.