1. Login using the Authorize feature
For our development program, basically is to require role members to use the authorize feature, for example, for the Administrator role is the admin, for the login registered users are user so we add when the user login
1 /// Role Verification 2 formsauthentication.signout (); /// Clear Roles 3 Formsauthentication.setauthcookie ("User"false);
This adds a user role, and then we add the role verification on the controller, as follows:
1 " User " )]2 public actionresult Index ()3{4return view (); 5 }
This way, the index page can only be accessed by someone with the user role,
What if the user does not have a users role, but mandatory access? Next we add a jump page in the Web. config file, the user without role verification jumps to the specified page, and the following is a jump to the login page login
1 <authentication mode="Forms">2 <forms loginurl="~/ Login" timeout="2880" />3 </authentication >
All right, that's it, easy.
2. Preventing XSS attacks
1. Html-encode all content, using @html.encode or @Html. Attributeencode
2. Encode the URL and use the @url.encode
3. Encode JavaScript, use @html.javascriptencode
3. Token verification
Add @Html. AntiForgeryToken () to the form form, and then add [Validateantiforgerytoken] to the controller
4. Use HttpOnly to block cookie theft
Add
or response.cookies["MyCookie"). Httponly=true;
5. Use the bind attribute to receive only the attributes in the form
such as: [Bind (Include= "Username,password")]
Here I have a question, why this can defend against repeated submission attacks, I think this should not be achieved. Instead, you avoid committing offensive data, such as data outside the view submission form.
The above are often used in the project, of course, you may have a better way.
this group provides ASP. NET Mvc,ef,linq,web API technical support, do not care about people, care about human spermatogonial.
asp.net MVC group 171560784
Invite all the experts, beginners to join.