diff options
author | levib <levib@microsoft.com> | 2012-04-07 03:40:59 +0400 |
---|---|---|
committer | levib <levib@microsoft.com> | 2012-04-07 03:42:35 +0400 |
commit | de43b6ad756800fd3b6e984ec65f9f37dbad723f (patch) | |
tree | dcf9b9af761a2ac8924b37084938a1bf79807883 /src/System.Web.Mvc/WebViewPage`1.cs | |
parent | a257938cd04948862e4af29f44aa45ffaea86592 (diff) |
Responding to customer and partner feedback re: the Anti-XSRF helpers.
What's new:
- Programmatic configuration over various Anti-XSRF behaviors:
-> The name of the cookie to use.
-> Whether SSL is required.
-> Ability to provide a nonce or other "custom data".
- The exception message is now a little less cryptic. It tells you exactly what check failed (e.g. the cookie 'foo' was missing, the token was meant for a different user, etc.).
- The system tries to detect if the current identity is degenerate (e.g. authenticated but without a name) and fails safe. The exception message specifies how to resolve the problem. (This check can be suppressed via config if necessary.)
- Ability to get the cookie and form token strings directly if you want more manual control.
- Built-in support for OpenID and Azure ACS (WIF).
- For most consumers, the token size is smaller.
Breaks:
- The salt / domain / path parameters are all obsolete as error. The customer can achieve the same effect by using the <httpCookies> configuration element or calling the AntiForgery.* APIs that are string-based.
- Not compatible with MVC 1 / 2 / 3. However, this system makes it easier to recover gracefully when an old token is submitted.
CR: marcind; bradwils
SR: naziml
Diffstat (limited to 'src/System.Web.Mvc/WebViewPage`1.cs')
0 files changed, 0 insertions, 0 deletions