Posts

Showing posts from June, 2013

Responsible use of the ASP.NET MVC AntiForgeryToken

The use of anti-forgery tokens is a necessary safeguard against cross-site request forgery attacks. The ASP.NET MVC framework provides easy-to-use security mechanisms right out of the box, but unfortunately these are opt-in rather than opt-out and are easy to miss/forget. For a non-trivial website it is difficult to guarantee tokens are supplied and checked in all form submissions and AJAX posts. This is how I do it. Note: Web security is a tricky business and I do not consider myself a security expert. Use the information in this post at your own risk. 1. Use the ValidateJsonAntiForgeryToken attribute for AJAX calls There's a nice post by Johan Driessen on anti-XSRF validation with newer versions of the .NET framework. I use Johan's ValidateJsonAntiForgeryToken attribute to great effect. In summary, Johan's attribute should be applied to actions invoked via AJAX calls. Check out his blog post - it explains everything in detail. 2. Ensure all AJAX posts conta...

Mocking NHibernate with Typemock Isolator is Awesome

Note: I am not affiliated in any way with Typemock Unit testing methods that contain NHibernate calls is notoriously difficult. In fact, a common suggestion is to give up and use an in memory database instead. This is fine (I've personally tried it on multiple occasions), and it works I suppose, but has always felt more like integration testing than unit testing (what happened to "no external dependencies"?..perhaps I'm a purist) and undoubtedly slows down the test suite - especially in all but non trivial cases where reference data needs to be loaded. I'm a novice Isolator user and messed around with the RecordExpectations syntax for a little bit before realizing just how simple Isolator makes things. Once you understand the warnings that Typemock puts out there, things get really easy. Really easy . First Attempt Let's say I wanted to fake the count of the products currently mapped to a specific category on my website. Normally the chained nature...