Thanks Simon,
I will adapt MS implementation in a few area like generating and
serialize token string into cookie.
I also like this idea $FormHelper.ForgeryToken() except that I would
have to touch existing code but I add it as and alternative option of $
{XssHiddenField}
Will update you on the progress soon.
Thanks,
Sokun
On May 30, 8:18 am, John Simons <[email protected]> wrote:
> Hi Sokun,
>
> Good specs :)
> How come you apply the attribute to the Controller?d
> I thought you would apply the attribute to the individual Actions, at least
> that is what MS has done in ASP.MVC.
>
> My thoughts on this, try to copy has much from the MS implementation as
> possible (no point reinventing the wheel).
>
> ${XssHiddenField} should be a helper eg. $FormHelper.ForgeryToken()
>
> Cheers
> John
>
> ________________________________
> From: c.sokun <[email protected]>
> To: Castle Project Development List <[email protected]>
> Sent: Sun, 30 May, 2010 1:31:46 AM
> Subject: Implementing AntiForgeryValidatorFilter
>
> I am current working on AntiForgeryValidatorFilter for MonoRail but
> before I start coding I want to have your feedback on the usage and
> implementation direction.
>
> Usage:
> 1. At the server side code
>
> [AntiForgeryValidatorFilter()]
> public class HomeController: SmartDispatcherController {
> public void Index(){
>
> }
>
> }
>
> 2. View Template
> <form method="POST" action="....">
> ${XssHiddenField}
> </form>
>
> Implementation:
>
> - The Filter only work for POST
> - The Filter will automatically setup AntiForgery Cookie if it doesn't
> exist (in encrypted form)
> - The Filter will regenerate & store new toke value in Cookie after
> successful POST. (not sure if this practical?)
> - The Filter will create and store two string value in PropertyBag,
> a, XssHiddenField // <input type='hidden' value='tokenString' />
> b, XssTokenString // raw token string which usual for crafting
> $.ajax $.post etc
> - more configuration features
>
> I think the usage is quiet simple and easily integrate into existing
> app; now the challenge is
> - The Filter will automatically setup AntiForgery Cookie if it doesn't
> exist (in encrypted form)
> - The Filter will regenerate & store new toke value in Cookie after
> successful POST. (not sure if this practical?)
> am I going into the right direction?
>
> Thanks,
> Sokun
>
> --
> You received this message because you are subscribed to the Google Groups
> "Castle Project Development List" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group
> athttp://groups.google.com/group/castle-project-devel?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Castle Project Development List" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/castle-project-devel?hl=en.
