Proper place for security checks

Topics: Writing modules
Nov 15, 2011 at 11:10 PM

Just a general best practices question here...

In my controller I have [HttpGet] and [HttpPost] methods for various actions. I have checks for Role membership and occasionally other checks for things in my module in the [HttpGet] method and I've also been putting them in the [HttpPost] method as well before I check the model state and call the service to update the database. Is it necessary to do the security checks again in the [HttpPost] method if I'm already doing them in the [HttpGet]?

Thanks!

Nov 15, 2011 at 11:17 PM

Yes, because someone can easily fake a POST if they know the controller is there. Actually POST is where you need security most of all, because it's there you're actually modifying the database ;)

If they're both performing the same checks you could refactor that into another method to avoid the code duplication.

Nov 15, 2011 at 11:18 PM

I see...thanks for clarifying that for me. There are a couple of methods with quite a bit of security checking, so I think I may take your suggestion and role those into another method.

Thanks again!