StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POIs a good practice to avoid CSRF doing this? (ASP.NET MVC 3)
primarykey
Id
14614043
data
AcceptedAnswerId
14614954
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2013-01-30T21:22:20.620
FavoriteCount
0
LastActivityDate
2013-01-31T02:17:39.967
LastEditDate
2013-01-30T21:56:53.467
LastEditorUserId
727208
OwnerUserId
752900
ParentId
0
PostTypeId
1
Score
1
ViewCount
335
LastEditorDisplayName
text
Body
I have one question about the use of AntiForgeryToken provided by MVC 3. I will try to explain my idea. The basic idea is an Ajax button to "mark as favorite" one (or more) item from a Catalog. So I have a grid with the entire list of items, and each of this items has a button to make as favorite. Well... my idea implementation is this: When the user push the favorite button, this send a GET request to the server to retrieve a partialView with AntiForgeryToken (all of this is transparent to the user because happen on the background). So when the Form is loaded the site automatically submit (POST) the data (the id of the item and the antiforgerytoken) to mark this item as favorite (again... this happen in background, so the user never see anything). This is the idea over request/response on Firebug: <pre><code>GET http://localhost/User/Favorite/Mark?url=156 Response from GET: <form action="/User/Favorite/Mark?url=156" method="post"> <input name="__RequestVerificationToken" type="hidden" value="WVXhVJJ3VNB8HrZQ6CZBPt35z2zvDjaHmlYWrnCvJoDUgeWMEGUGwm3clCD27vFAsxbs0upiRdVdo9Wsus Z7B6SU NQgV3iSYTUtE/EREWqT1Is/kwNZpdNf/3Pi7fD572pO89lTdYEjL0OlzmPJ5tmRQEUq/oMbuj0MnmPZskykGz6HzRmgC4Ez2bBoCp4" /> </form> ----------------------------- Then Submit the form with the AntiForgeryToken: POST http://localhost/User/Favorite/Mark?url=156 __RequestVerificationToke... WVXhVJJ3VNB8HrZQ6CZBPt35z2zvDjaHmlYWrnCvJoDUgeWMEGUGwm3clCD27vFAsxbs0upiRdVdo9Wsus Z7B6SU NQgV3iSYTUtE/EREWqT1Is/kwNZpdNf/3Pi7fD572pO89lTdYEjL0OlzmPJ5tmRQEUq/oMbuj0MnmPZskykGz6HzRmgC4Ez2bBoCp4 </code></pre> My question is simple. This is a good practice to get a AntiForgeryToken for an Ajax request? or is a bad idea? I have this question because I don't know if this idea can make a bug hole to exploit on my site in this specific actions. Thanks
Tags
<asp.net-mvc><csrf><antiforgerytoken>
Title
Is a good practice to avoid CSRF doing this? (ASP.NET MVC 3)
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. UStereško
UserOwnerUserId
1. USHolloW
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POIs a good practice to avoid CSRF doing this? (ASP.NET MVC 3)
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.