c# - Is ValidateAntiForgeryToken autoimplemented with POST? -


i'm reading post considered secure , no, , should implement [validateantiforgerytoken] in every action of every controller.

the question is: need use [validateantiforgerytoken] data annotation when use [post]?

it's off default.
there's reason this. not every post has come form (especially true since question tagged asp.net-core)

you should decorate controller action [validateantiforgerytoken]

[validateantiforgerytoken] public iactionresult post(model model) {     // ... etc }

if you're using form tag helper, automatically add anti forgery token you, <form> markup.

the markup generated like:

<form action="/mycontroller" method="post">     <input name="__requestverificationtoken" type="hidden" value="fhtffhkknsdfhyazftn6c4ybzamsewg0srqluqqloi/oijoijoijojhishg" />     <!-- rest of form here --> </form>

note: can manually enable/disable __requestverificationtoken generation using form helper tags:

<form  asp-controller="mycontroller"   asp-action="myaction"   asp-antiforgery="false"   method="post">

Comments

Post a Comment

Popular posts from this blog

go - serving up pdfs using golang -

Image
just wondering if guys can code. it works serving images not pdf brochure. in advance func main(){ http.handlefunc("/", func(w http.responsewriter, r *http.request){ filename := "/var/www/filedipenser/brochure.pdf" streampdfbytes, err := ioutil.readfile( filename ) if err != nil { fmt.println(err) os.exit(1) } b := bytes.newbuffer(streampdfbytes) w.header().set("content-type", "application/pdf") if _, err := b.writeto(w); err != nil { fmt.fprintf(w, "%s", err) } w.write([]byte("pdf generated")) }) err := http.listenandserve(":4111", nil) if err != nil { log.fatal("listenandserve: ", err) fmt.println(err) } } the code bit inefficient appears working. however, pdf viewers might sensitive extraneous output adding end of http response stream...
Read more

python - Best design pattern for collection of objects -

i have following architecture: +-----------------+ | collection | | | | | | | | | +-----------------+ | ^ | | create() | | | | v | getitem(b) +------------+ | | item | | | | | | +------+ | | +------------+ a class managing collection of items, creates items. , these items may need other items collection. the actual code in python, , collection passes parameter created item . see it, bad practice. improvement can see pass few functions of collection needed item , instead of whole instance. for example: class collection: getitem(self, id): ... createitem(self, id): item = item(id, self) # <-- pass self ... class item: __init__(self, id, col): ... col.getite...
Read more

sharepoint online - C# CSOM SPView ListItemCollection did not update after I add new field in the SP view -

spclientcontext.credentials = new sharepointonlinecredentials(username, securepassword); //https://msdn.microsoft.com/en-us/library/office/ee534956(v=office.14).aspx web spweb = spclientcontext.web; list splist_csv = spweb.lists.getbytitle("supplier master list"); view spview_csv = splist_csv.views.getbytitle("_data pending export csv");//oracle export field spclientcontext.load(spview_csv); spclientcontext.executequery(); camlquery query = new camlquery(); query.viewxml = spview_csv.viewquery; listitemcollection items = splist_csv.getitems(query); spclientcontext.load(items); spclientcontext.executequery(); foreach (var item in items) { //some field/item missing? } hi, using code above retrieve data sharepoint online. @ first, working fine. but, when add in new column view _data pending export csv on sharepoint online, found out new added field missing. idea? ok. found out others issue, lookup field on limit. did fix change lookup field s...
Read more