Archives / 2008
  • Secure ASP.NET MVC Applications

    One of the greatest advantages of ASP.NET MVC is that it provides a "Close to the Metal" programming experience and you have full control over the HTML. It aslo means that you should care about the vulnerabilities regards with your HTML. In webform, server controls would be automatically HTML-encoded their outputs. While developing ASP.NET MVC apllications, you should filter your HTML to avoid XSS attacks. Use the following HTML helper methods to avoid vulnerabilities in your ASP.NET MVC applications.

     Use Html.Encode to defense XSS

    Use Html.Encode Helper method if you output user-supplied data.

    Your search result for category : <%=Html.Encode(ViewData["Category"]) %>

    Lets assume that if the user supplied "<script>alert('XSS')</script>" for input data , the Html.Encode will avoid to execute  as a JavaScript function  and will ensures to display that string as a literal text. When you using built-in Helper methods, It will automatically HTML-encode their outputs. As Rob Conery said, Html.Encode is not a silver bullet to avoid XSS

     Use Html.AntiForgeryToken to defense Cross-Site Request Forgery (CSRF)

    The Html.AntiForgeryToken helper method provides the support for detecting and defense CSRF attacks. This helper method available in Microsft ASP.NET MVC Futures assembly (Microsoft.Web.Mvc.dll). The assembly can download from .  Check the below example

    <% Html.BeginForm("Save", "Category", FormMethod.Post); %>
    <%= Html.AntiForgeryToken() %>    

    <% Html.EndForm(); %>

    The AntiForgeryToken helper would  generate a hiiden field named __MVC_AntiForgeryToken and gave a value that randomly generated for each user request. And at the same it gave cookie with name __MVC_AntiForgeryToken and the value would be constant for user session.

    <form method="post" action="/Category/Save">
    <input type="hidden" value="34/LV6nApPw0VWjxZkwY1imE8U8c+fAthll+ssF1fhbbK20HYA1EzXB6xaHqCHo4" name="__MVC_AntiForgeryToken"/>

    The authorization filter atrribute [ValidateAntiForgeryToken] will check the all incoming request with form value __MVC_AntiForgeryToken and block the request if there is a invalid token is supplied. A CSRF attacker can't know the randomly generated value of AntiForgeryToken.

    The below example used [ValidateAntiForgeryToken] in the controller action to validate the AntiForgeryToken.

     public ActionResult Save(FormCollection  form) {

  • ASP.NET MVC Tip: Dependency Injection with Unity Application Block

    In my earlier post, I have explained how to use dependency injection pattern in MVC application using StructureMap. In this post, I demonstrate how you can use dependency injection pattern using Microsoft’s Unity Application Block (Unity). If you want to develop an ASP.NET MVC application fully with Microsoft stack, you can use Unity Application Block to perform dependency injection.Unity is a cool dependency injection container and I hope that it will become more powerful in the future releases.

  • ASP.NET MVC for Live Applications

    ASP.NET MVC has got big attention in the community and lot of people are looking to develop production ready applications with ASP.NET MVC. When can we start production ready applications with ASP.NET MVC? Since ASP.NET MVC Beta version is available, I think this is time to start live application with ASP.NET MVC. There is already lot of live applications build with ASP.NET MVC. Stackoverflow is really a killer web application build with ASP.NET MVC.  If you are an Architect, this is the right time to develop infrastructure frameworks for ASP.NET MVC. The RTM version will be in Q4 2008 or Q1 2009. I hope that the RTM version will be release on this December. The changes from Beta to RTM version will be very minimum and the Beta release comes with an explicit "go-live" license that allows you to deploy it in production environments. Scott Guthrie wrote in his bog post ASP.NET MVC Beta Released “Today's ASP.NET MVC Beta release comes with an explicit "go-live" license that allows you to deploy it in production environments.  The previous preview releases also allowed go-live deployments, but did so by not denying permission to deploy as opposed to explicitly granting it (which was a common source of confusion).  Today's release is clearer about this in the license. The beta release is getting close to V1 feature complete, although there are still a few more features that will be added before the final "V1" release (including several VS tooling enhancements).  The team decided to call this release a "beta", though, because the quality and testing of it is higher than the previous previews (a lot of bug fixes and performance tuning work went into it), and they feel that the core features that are in it are now "baked enough" that there won't be major changes from this release to the final product”.

    I believe that breaking changes and new features will be available after the release of V1. When I asked about the SubController infrastructure, Scott Guthrie replied that “The team currently has that penciled in for the release immediately following V1.  The reason for not having it in V1 are: 1) there are a couple of approaches that could be used for it, and we want to spend a little more time investigating and exploring them (and not bake something prematurely into V1), and 2) there is a subcontroller implementation currently in the MVCContrib project that be used with the V1 release.  I'd recommend looking at using that one if you need a subcontroller pattern, and then we'll bake one into the core binary once we feel confident on a final design”.

    Our Development Attitude

    ASP.NET MVC is a great technology and you can build powerful and highly maintainable web applications with ASP.NET MVC. But please keep in mind that you can build good and bad applications with same technology. So our attitude and development approaches are very important for building great software and the most important things is that we should have a good architecture for good software. I strongly believe that the .Net developer community should be more focus on object oriented principles and practices. I believe that the ALT.NET movement is a good sign and the ALT.NET Criterion is good for building better software. The ASP.NET MVC technology is based on a loosely coupled architecture and the framework is highly testable so that it enables to build great software. When we build applications with ASP.NET MVC, we should focus on object-oriented principles and practices and take this time to change our attitude towards object-oriented way. In the past, applications have been data-centric and this has been gradually changing to object-oriented way. I would like to suggest using an ORM for data persistence, Persistence Ignorance (PI) objects for domain layer,  Repository pattern, Inversion of Control (IoC) container for dependency injection (DI) along with your ASP.NET MVC application. And I believe that Test Driven Development (TDD) gives you lot of values to your application development process.

    Learning Resources to start applications

    Stephen Walther’s blog post A Guide to Learning ASP.NET MVC Beta 1 contains lot of links that provides to learn and develop applications with ASP.NET MVC. For validations, Emad Ibrahim’s blog post Client & Server Side Validation in ASP.NET MVC is an excellent one. For dependency injection, my blog post ASP.NET MVC Tip: Dependency Injection with StructureMap provides step by step instructions to apply dependency injection into an ASP.NET MVC application using Structuremap. My blog post ASP.NET MVC Tip: Ajax and Validations using jQuery demonstrates how we can use jQuery for Ajax and validation as well as demonstrating partial rendering using user control. Steve Sanderson's ( Author of Apress' ASP.NET MVC Book) Blog is damn worth to read. And I strongly recommend to visit Rob Conery’s blog for his storefront series.  He has been building an entire ecommerce application with ASP.NET MVC

  • ASP.NET MVC Beta Released

    Microsoft has released the official beta for ASP.NET MVC. You can download the Beta version from here.  The Beta installer installs the ASP.NET MVC assemblies (System.Web.Mvc.dll, System.Web.Routing.dll, and System.Web.Abstractions.dll) into the GAC. In previous previews, these were not installed into the GAC. Because of this change, the default project templates do not automatically copy the assembly into the Bin directory of your application.

  • ASP.NET MVC Tip: Dependency Injection with StructureMap

    In this tip, I demonstrate how you can use the dependency injection with StructureMap within an MVC application. StructureMap is an open source Dependency Injection framework for the .NET platform and has been in use since 2004 .StructureMap supports both setter and constructor injection and also offers testing and diagnostic features such as logging, tracing and wiring of mock objects. For download and more details visit Jeremy D Miller’s (Creator of StructureMap) blog is a great learning resource for StructureMap and good object oriented programming thoughts.

  • ASP.NET MVC Tip: Ajax and Validations using jQuery

    jQuery is now part of the development platform and it is going to ship with Visual Studio in the future and will also be the part of ASP.NET MVC installation. ASP.NET MVC will be the first product to include jQuery. Guru Gu’s blog entry has the full details regarding this. This is a great decision from Microsoft and I hope that the community would be happy about the great decision taken by Microsoft. And this is another good step for web development after the ASP.NET MVC technology. jQuery is an excellent java script library and very popular among the web developers regardless of technology. In this post, I demonstrate how to integrate jQuery with ASP.NET MVC and will be explain how to send Ajax requests and also show client side validation using jQuery. I am using a blog application for this demo and it will show how to post a comment of a blog entry using Ajax request and will also show partial rendering with the help of a user control.

  • Default option label for DropDownList in ASP.NET MVC Preview 5

  • ASP.NET MVC Validations using MVCContrib

    In my earlier post, I have explained how to use MVCContrib Grid in MVC application. In this post, I demonstrate how you can use MVC client side validation using the MVCContrib Validation helpers.  MVCContrib is a cool contrib project to MVC that extends the functionalities of an MVC application and it provides rich set of validation helpers and it also provides different validation groups. The MVCContrib project can download from

    The following are the steps to get Validation Helpers to work:


    Add a reference to the MvcContrib assembly (download available from

    Step 2

    Add namespace import for MvcContrib to your web.config file:

  • ASP.NET MVC Grid View using MVCContrib

    In this post, I demonstrate how you can use the  Grid UI helper of the MVCContrib project in your ASP.NET MVC  application. MVCContrib is a community project that adds the functionalities to Microsoft’s ASP.NET MVC Framework and makes the framework easier to use. MVCContrib provides several UI helpers and Grid UI helper is one of them. The Grid helper provides the functionalities of GridView control of ASP.NET GridView. The Grid component generates HTML tables for displaying data from a collection of Model objects and it support paging. The MVCContrib project can download from

    The following are the steps to get Grid to work:


    Add a reference to the MvcContrib assembly (download available from )

    Step 2

    Add a namespace import for MvcContrib.UI.Html to your web.config file:
            <add namespace="MvcContrib.UI"/>
            <add namespace="MvcContrib.UI.Html"/>
            <add namespace="MvcContrib.UI.Html.Grid"/>
           <add namespace="MvcContrib"/>

    Using the Grid

  • ASP.NET MVC Preview 4 Released

     ASP.NET MVC Preview 4  has been released on the CodePlex. You can download it from here.The Preview 4 release provides the new features such as OutputCache Action Filter, Authorize Action Filter, AccountController, Ajax Helpers and Namespaces in Routes.Visit Guru Gu's (Scott Guthrie) blog entry for more detailed informations. Now the ASP.NET MVC is getting the maturity for live production and the product is going close to the official beta, after that RTM version will be available. I hope the community can expect V 1.0 release on this year itself and new enhanced features will be included in a future full release.

  • MVC Vs Web Form

    Software Architects have been involving lot of debates about different approaches and architectures. Some of the examples are ORM Vs Store Procedures, REST Vs SOAP, etc. There is a debate happening inside the Microsoft community about web form Vs MVC. Many people thinking that MVC will be replace webforms at least eventually and others are thinking that MVC will not be replace webforms. Will MVC replace webforms?. MVC is an alternative approach to webforms rather than a replacement. It will not replace webforms and webforms will not replace ASP.NET MVC. The fact is that ASP.NET MVC and webforms will co-exist and that ASP.NET MVC is not a replacement for webforms. If you prefer MVC use it and you feel webform is more comfortable, you can use it. . Both approaches are just choices and different approaches and choices are good things. Different choices are available for other platforms especially in the Java platform.

  • REST and WCF 3.5

    The first version of WCF was focused on SOAP. But another approach known as REST is becoming a popular approach for building web services. The latest version of WCF in the .NET Framework 3.5 supports both SOAP and REST.

    What is REST?

    REST is an acronym standing for Representational State Transfer and it is an architecture style of networked systems. According to Roy Fielding (one of the principal authors of the Hypertext Transfer Protocol (HTTP) specification) , the explanation of Representational State Transfer is :
    "Representational State Transfer is intended to evoke an image of how a well-designed Web application behaves: a network of web pages (a virtual state-machine), where the user progresses through an application by selecting links (state transitions), resulting in the next page (representing the next state of the application) being transferred to the user and rendered for their use." Systems that follow Fielding’s REST principles are commonly known as “RESTful”;

    REST means that each unique URL is a representation of some object. You can get the contents of that object using an HTTP GET, to delete it, you then might use a POST, PUT, or DELETE to modify the object.

    Unlike SOAP, REST is not a standard or specification. It is just an architectural style. You can design your web services using this architectural style.

    REST is using the built-in operations in HTTP: GET, POST, and others. And rather than identify the information to be accessed with parameters defined in XML, as SOAP typically does, REST assumes that everything is identified with a URL. However REST is not a standard, it does use the following standards