I have an maintenance controller in my app for editing the database. I have restricted the control with authorization attribute, but should i be doing more than this? What are the risks here? For example should I create a separate assembly for this or a new application or a remote application?

No correct solution


The authorization is pretty secure... I wouldnt go with classified government secrets on it... but I havent seen any good ways to bypass it, excepting for cookie stealing and MIIM attacks but those are going to be present in all non ssl sites regardless of hosted technology.

One thing I'd do is to white/black list properties on the views model so that you can't have someone calling your Controller Delete Action with an object that has say an id.

So your controller code may look like;

public ActionResult Create( [Bind(Exclude="ID")] MyModel model)

So you are excluding the ID field in the MyModel object.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow