2

I have built up a nice MVC4 application, decided to secure it and all is fine. Below is the filter I use to help prevent XSS attacks as an example.

public class IsPostedFromThisSiteAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        //TODO: - Possible problems in future:
        //1. Is there a way to handle the execptions and just display a friendly error page / message.

        if (filterContext.HttpContext != null)
        {
            if (filterContext.HttpContext.Request.UrlReferrer == null)
                throw new System.Web.HttpException("Invalid Submission");

            //if (filterContext.HttpContext.Request.UrlReferrer.Host != "localhost/YeatsClinical.PatientPortal.Web")
            if (filterContext.HttpContext.Request.UrlReferrer.AbsolutePath != ConfigurationManager.AppSettings["SiteURL"])
                throw new System.Web.HttpException("This form was not submitted from this site!");
        }
    }
}

My MVC app has Elmah installed and it works great too.

The problem is, I know about the error above and I don't want to display an exception message, or log it or anything like that (all of which I can do easily). Instead I want to handle it properly by displaying a nice little message to my user. How can I change the code above to allow this to either display a view or partial view with a nice little message or just output some text somewhere to let the user know what went wrong in a nice way that doesn't cause the application to crash, perhaps in this particular case, returning him to the correct login screen.

Improve this question

1 Answer 1

Reset to default
2

Just assign the Result property on the filterContext:

public class IsPostedFromThisSiteAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        //TODO: - Possible problems in future:
        //1. Is there a way to handle the execptions and just display a friendly error page / message.

        if (filterContext.HttpContext != null)
        {
            if (filterContext.HttpContext.Request.UrlReferrer == null)
            {
                var viewResult = new ViewResult
                {
                    ViewName = "~/Views/Shared/Invalid.cshtml"
                };
                filterContext.Result = viewResult;
                return;
            }

            if (filterContext.HttpContext.Request.UrlReferrer.AbsolutePath != ConfigurationManager.AppSettings["SiteURL"])
            {
                var viewResult = new ViewResult
                {
                    ViewName = "~/Views/Shared/InvalidSite.cshtml"
                };
                filterContext.Result = viewResult;
                return;
            }
        }
    }
}

This will prevent the controller action to be executed and will immediately execute the ActionResult you have assigned to the Result property of the filterContext. Basically you are short-circuiting the execution of the action. You could return whatever ActionResult you want: ViewResult, PartialViewResult, JsonResult, RedirectToRouteResult, ...

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for your answer. I am getting an error but its not with this code, this is related to my login page and I am getting an error with that which is not part of the question. I made a sample project and used your code to verify it works and it does. So with that I will accept your answer, and thanks again for your help with this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.