Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute

2 March 2013 Update: Added security links 20 June 2012 Update: Cookieless Session and Authentication not supported in ASP.NET MVC.     Executive Overview You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use…

20

Response.Redirect and ASP.NET MVC – Do Not Mix

Update 28 November 2012: HttpResponse.Clear is safe but not recommended since it is a violation of the MVC pattern.  If you’re calling Clear(), then by definition you started doing one thing (like setting headers, writing to the response, etc.) but now suddenly need to back out and do something else.  In the MVC pattern, you…

4