asp.net mvc - AntiForgeryConfig.RequireSsl causes random errors when using without SSL -

-

our security team requires cookies set secure=true.

to set secure property mvc antiforgery, using following code:

    protected void application_beginrequest(object sender, eventargs e)     {         antiforgeryconfig.requiressl = httpcontext.current.request.issecureconnection;     }

but have problem on our test server not using ssl. have spontaneous errors

the anti-forgery system has configuration value antiforgeryconfig.requiressl = true, current request not ssl request.

when looking in asp.net mvc code pinpoint location of exception, found following

private void checksslconfig(httpcontextbase httpcontext) {     if (_config.requiressl && !httpcontext.request.issecureconnection)     {         throw new invalidoperationexception(webpageresources.antiforgeryworker_requiressl);     } }

it seems correct , should work because execution sequence is

    antiforgeryconfig.requiressl = httpcontext.current.request.issecureconnection;     // ... happens in between         if (_config.requiressl && !httpcontext.request.issecureconnection)         {             throw new invalidoperationexception(webpageresources.antiforgeryworker_requiressl);         }

but seems requests httpcontext.current.request.issecureconnection returning true although not using ssl on our test server.

what's going on there? why exception?

i searching information antiforgeryconfig.requiressl , found question. in following code:

protected void application_beginrequest(object sender, eventargs e) {     antiforgeryconfig.requiressl = httpcontext.current.request.issecureconnection; }

you modify application level value (antiforgeryconfig.requiressl) local value (request.issecureconnection).

if have 2 requests different request.issecureconnection value, think happen ? - first request set antiforgeryconfig.requiressl false - second request set antiforgeryconfig.requiressl true - first request evaluated checksslconfig (true) - second request evaluated checksslconfig (true)

you must avoid modifying global application setting way , write own filter handle kind of behavior.


Comments

Post a Comment

Popular posts from this blog

c++ - Creating new partition disk winapi -

-
i'am trying create new partition , mount volume new, thought createfile let me this, code : lpctstr lpfilename=l"\\\\.\\device\\harddisk0\\partition3"; handle handl=createfile( lpfilename, generic_read | generic_write, file_share_read | file_share_write, null, create_always, file_attribute_normal, null ); if (handl==invalid_handle_value) { qdebug()<<"handl invalid"<<" error"<<getlasterror();} bool success = definedosdevice(ddd_raw_target_path,l"i:",l"\\device\\harddisk0\\partition3"); if(!success) qdebug()<<" definedosdevice failed "<<getlasterror(); bflag = getvolumenameforvolumemountpoint( l"i:\\", // input volume mount point or directory /** u in dir
Read more

Android Prevent Bluetooth Pairing Dialog -

-
i'm developing internal application uses bluetooth printing. want bluetooth pairing occur without user input. have managed working trapping android.bluetooth.device.action.pairing_request broadcast. in broadcast receiver call setpin method, , pairing works ok, bluetoothpairingdialog displayed second or two, disappears - see link below. https://github.com/android/platform_packages_apps_settings/blob/master/src/com/android/settings/bluetooth/bluetoothpairingdialog.java since broadcast non-ordered, can't call abortbroadcast() , , wondering if there other way prevent pairing dialog appearing. can hook window manager in way? i haven't been able come way without modifying sdk. if you're oem, it's easy (i'm on 4.3): in packages/apps/settings/androidmanifest.xml, comment intent filter pairing dialog: <activity android:name=".bluetooth.bluetoothpairingdialog" android:label="@string/bluetooth_pairing_request"
Read more

VBA function to include CDATA -

-
i have following function include cdata: function cdatasection() dim objdom domdocument dim objkmlrootelement ikmldomelement dim objkmlelement ikmldomelement dim cdata ikmldomcdatasection set objdom = new domdocument set objkmlrootelement = objdom.createelement("balloonstyle") objdom.appendchild objkmlrootelement set objkmlelement = objdom.createelement("text") objkmlrootelement.appendchild objkmlelement set cdata = objdom.createcdatasection("text") cdata.data = "<![cdata[<b>latitude = $[latitude]</b>?]]>;" end function when run above, getting error "user defined data type not found" function. yes ripster says find library reference. vba window tools>references for list of relevant references see... http://msdn.microsoft.com/en-us/library/windows/desktop/ms763701%28v=vs.85%29.aspx however, if have hard time tracking down reference, replace dim sta
Read more