I am currently working on an ASP.NET MVC project and came upon an error that seemed peculiar.
In the ASP.NET MVC Templates forms always get an AntiForgeryToken (thus leading me to believe that this is a best practice). However AntiForgeryTokens don't seem to work well with caching.
For example when I open a site with a form including an AntiForgeryToken and I duplicate the browser window both windows have the exact same AntiForgeryToken leading to an exception when posting the form. This problem does not exist when caching is disabled (via ActionFilter NoCache, see Disable browser cache for entire ASP.NET website).
So I guess my question is: Is this supposed to be that way? Is there any other way besides disabling the cache to tackle the problem?
Especially the fact that the default ASP.NET MVC templates contain AntiForgeryTokens but don't disable the cache (and therefore are open to the error described above) makes me wonder.
Thanks in advance!
This is the expected behavior. Caching nicely caches the answer, including the value of the AntiForgeryToken. Disable caching on forms, and in particular on pages that use AntiForgeryToken. If you think about this further, if you're in a data-entry app, do you want to cache your data-entry forms? Probably not. However you do want to cache heavy reports -- even if it's just micro-caching -- a second or two.
Related
I used to utilize MVC 3 Razor engine to render pages. Sometimes I had to use AJAX calls to transfer Razor-rendered HTML and inserting it into the page using JQuery. As new project is starting, we do consider to utilize MVC 4 Single Page Application framework which is new to us. I took the first glance at it which left me with mixed feelings:
On the one hand it implies all your data are transferred by JSON and client does all the job to render them and encode some UI-related logic which is great for server and network performance. On the other hand the client (HTML+JavaScript) becomes much more heavy with a bunch of magic strings and hidden relations inside it which seems to be hard to maintain. We got used to VS intellisense, type-safed .NET server code to render pages which we have to exchange for client scripts and Knockout binding statements in case of SPA.
I wonder are any prons and cons of using SPA comparing to Razor, other that this obvious one I've mentioned here? Thanks
Razor is a server based technology where SPA (Single Page Application) is an architecture approach used on the client (web browser). Both can be used together.
From a high level, SPA moves the rendering and data retrieval to the client. The web server becomes a services tier sitting in front of the database. An MVC pattern works best when using SPA. Frameworks like Knockout.js and Backbone.js can be used for this. The net results is a rich responsive desktop like experience.
To achieve this you'll need to be a descent javascript programmer or be willing to learn javascript.
Yes it's moving business requirements from C# into javascript. In Visual Studio there is limited intelli-sense for javascript. To have confidence in your javascript you'll need to lean on unit testing. The up side is the rich user experience (think gmail or google maps).
I think it sounds like you are already fairly well apprised of most of the trade-offs here; you'll have reduced network load with SPA, and will shift a measure of the processing to the client. You will, however, increase the complexity of your code, and make it slightly harder to easily maintain the system (simply because of the increased complexity - not due to any architectural problems inherent in SPA).
Another thing to keep in mind is compatibility. The reason I mentioned a "false choice" in my comment to your question is that to keep the site usable for folks with Javascript disabled, you will still need to provide regular, whole-page views. This is also a good idea to do for the sake of SEO; a crawler will browse your site as a user with JS disabled, and can then index your site. The site should then handle such incoming URLs properly so that those with JS enabled will find themselves in your SPA looking at the same content (as opposed to being dumped in the "no JS" view unnecessarily).
There's something else I'll mention as a possibility that might help with the above, but it breaks the ideals of an SPA; that is, using Ajax-loaded partials in some places, rather than JSON data. For example, say you have a typical "Contact EMail" form on the site; you want that to load within the context of the SPA, but it's probably easier to do so by loading the partial via AJAX. (Though certainly, yes; you could do it with a JSON object describing the fields to display in the e-mail form).
There will also likely be content that is more "content" than "data", which you may still wish to load via partials and Ajax.
An SPA is definitely an interesting project, and I'm about to deploy one myself. I've used a mix of JSON and partials in it, but that may not be your own choice.
We are currently reworking a WebForms based application to a MVC3/Razor system, and have hit a minor issue.
In our current solution, we have a large number of resources held within an external CMS that are compiled into our .aspx pages via a GlobalResource handler; this means that the hit on the CMS is low, and that the resources are only ever needed to be collected once for each individual page.
We can't seem to find any mechanism within Razor/MVC3 that would allow us to do the same thing - any pointers?
I'm not 100% sure I understand your question, but it sounds like you are using an HttpHandler to serve up a bundle of resources. There's no reason that code can't continue to work in MVC3 as-is. If you're doing something else, I'll need a little more clarification :). What's the underlying goal? To reduce the number of Http Requests per page?
In my MVC3 Project I use some output caching with the OutputCache attribute set on the action. However there are certain sections on this page that I dont want to cache ever.
Is it possible to have some partials in my view that overrides the pages caching?
You can now get proper donut caching by downloading the MvcDonutCaching NuGet package. See http://mvcdonutcaching.codeplex.com/ and http://www.devtrends.co.uk/blog/donut-output-caching-in-asp.net-mvc-3 for more information.
Yes you are 'supposed' to be able to do this.
See:
Partial Views Caching in ASP.NET MVC 3
Also I use a method to disable caching for controllers here:
Disable browser cache for entire ASP.NET website
Seems like this is the answer: http://weblogs.asp.net/scottgu/archive/2006/11/28/tip-trick-implement-donut-caching-with-the-asp-net-2-0-output-cache-substitution-feature.aspx
You basically have two options:
Refactor the page so that rather than caching the entire page,
you identify all the specific pieces (controls, partials, etc) that
should be cached. (boo)
Use output substitution blocks as Scott
Guthrie describes in the link. (boo as well unless the replacement
is just simple text)
This is called donut caching and isn't supported out of the box in MVC3. Check out my similar question here. Specifically, Jan Jongboom's Moth library which he suggests can do this (though I cannot confirm or deny this)
We have web applications elgifto.com, roadbrake.com in which we used AJAX at many places, especially to update major portions of a page. All the important functionality of elgifto.com was implemented using AJAX. Now we realize a few issues due to AJAX implementation.
All the content implemented using
AJAX is not available to the SEO
bots and it is hurting the page rank
of our site.
Users will not be able to bookmark
some of the pages as they are always
available through AJAX.
When we want to direct the user from
one page through an anchor link to
another page having AJAX, we find it
difficult.
So now we are thinking of removing AJAX for these pages and use it only for small functionality such as something similar to marking a question as favorite in SO. So before going ahead and removing, we want to know expert's opinion on this. Thanks.
The problem is not "AJAX" per se, but your implementation of it. Just as a for instance, you can fix the 'bookmark' problem like google maps does it: provide a generated link for each state of your webapp.
SEO can befixed by supplying various of these state-links to the crawlers, either organically trough links in your site, or by supplying a list (sitemap).
If you implement 2, you can fix 1 and 3 with those links.
In the end you must figure out if the effort is worth it, and if you are not overusing AJAX ofcourse, but the statements you've made are not set in stone at all.
I'm costantly developing ajax based websites, with no problems for SEO at all. You just have to use it in the best possible way.
For example, I have a website with normal links pointing to normal webpages (PHP pages), this for normal navigation if a user doesn't have JS enabled. But if a user has JS enabled, a script will change the links behavior, only fetching the content of the page needed.
This way you still have phisycal separated webpages with all their content, which will be indexed as normal.
I'm writing an application in MVC3. it has features like login, a simple forum, news, and pages that get their main content from the db.
I'm looking into caching right now.
First I tried the simple [OutputCache] attribute but noticed that it caches the same content for every user. Normally it wouldn't be that much of a problem, but - for example - the login box is cached too and therefore it shows the same content for every user (and everybody will just see that they are logged in as admin). Even if I set Location=OutputCacheLocation.Client, after a logout the cached page still shows that I'm logged in.
No matter, I thought I can always try Response.WriteSubstitution, but for some reason it seems to be broken in MVC3.
I'm now reading about the "ASP.NET MVC Result Cache", and it seems interesting, but is it a proper way to handle caching?
Also am I able to cache childactions, or partial views in an otherwise very dynamic page?
There are so many options and I don't know what should I use and when.
Sorry that my question is so vague, but I don't even know what to ask in this case.
I think this post my solve your problem.
MVC3 custom outputcache
Good luck