New to ASP.NET MVC - Will I have to relearn security?

Question

I'm planning work on a new project and am now tempted to use ASP.NET MVC. My project plans to use JQuery and AJAX (although non-JS clients will also be supported). Coming from a standard ASP.NET background, I'm still trying to get my head around the MVC paradigm (with great help from Scott Guthrie). However, my main concern with using MVC is the security aspects. I've done quite a bit of security with ASP.NET and I know how to handle various attack vectors. Will I need to re-learn security with ASP.NET MVC? Are there new threats, or even new ways of handling old threats, that I will have to read up on? I've ordered a couple of ASP.NET MVC books (which have chapters on security), but I would like to know of anyone else's experience of this.

Thanks

Answer 1

Depends on what you mean by security.

Authorization is basically the same, if not easier. Forms Authentication is supported and encouraged and you need only stick an [Authorize] attribute on controllers or controller actions. Not too much to learn there.

ViewState is gone, so you don't need to worry about ViewState validation or any of that kludge.

If you're referring to XSS, I would say that it's about the same; you need to escape your data on the output and it's very easy to do:

<%= Html.Encode(Model.SomeString) %>

The only thing I can think of that you might find a bit different is handling CSRF/XSRF. Fortunately, most of this is already built in to the framework.

So on the whole I'd say no, the learning curve for security in ASP.NET MVC should not be nearly as steep as the learning curve for the architecture itself.