Archives / 2011 / May
  • Security Issue in ASP.NET MVC3 JsonValueProviderFactory


              Model binding(a mechanism for mapping action method parameters with request data), is one of the most popular feature of ASP.NET MVC. The default model binder get its data from different value providers. In ASP.NET MVC 2, by default, these value providers include FormValueProvider, QueryStringValueProvider, RouteDataValueProvider and HttpFileCollectionValueProvider. ASP.NET MVC 3 added two additional value providers, ChildActionValueProvider and a value provider for Json. Json value provider makes it very easy to model bind your action method parameters with incoming Json data, but I have found a security issue with this value provider.  In this article, I will show you the security issue regarding Json value provider and also show you how to protect against this security threat.

  • AsyncController v/s SessionLess Controller


              AsyncController is introduced in ASP.NET MVC 2 while SessionLess controller is introduced in ASP.NET MVC 3. AsyncController allows you to perform long running I/O operation(s) without making your thread idle(i.e., waiting for I/O operations to complete). On the other hand, SessionLess controller allows you to execute multiple requests simultaneously for single user, which otherwise execute multiple requests sequentially due to session synchronization. Understanding these concepts may be easy for you but I have seen a lot of guys become confused on these concepts. In this article, I will show you how to use AsyncController and SessionLess controller in ASP.NET MVC application. I will also compare them and tell you what to use when, where, and the why.