Skip to main content


Showing posts from March, 2013

Facebook, Internet Explorer, Anti-Forgery Tokens and Cookies

Tricky issue with the above 4 in one app... IE was blocking a session cookie from my ASP.Net MVC web application when hosted in the Facebook IFRAME. The anti-forgery token in ASP.Net (used to protected against spoof form posts known as CSRF attacks) would fail saying the cookie it was checking against couldn't be found. Turns out the issue was that in medium security settings, IE will "block third-party cookies that do not have a compact privacy policy". And as the app is in the IFRAME it is considered third party with respect to Facebook. To resolve I needed two things: 1) an XML file located at /w3c/p3p.xml containing <META xmlns=""> <POLICY-REFERENCES> <EXPIRY max-age="10000000"/> </POLICY-REFERENCES> </META> 2) and a header emitted (in server side code, the meta tag equivalent didn't seem to suffice) Response.AppendHeader("P3P", "CP='IDC DS

Localised Form Validation in ASP.Net MVC

I've recently been working on a web application that required localisation - the display of translated copy depending on which country the user was visiting from. There was a different sub-domain for each country which was used to identify the appropriate one. It was also a requirement that the editor's of the website could update the translated copy from a simple back-office tool. For most of the copy of the website this was fairly straightforward to set up. I had a database table called Texts that contained three columns: Country, Key and Value. And hence by looking up for a particular country and key I could get the text to display. To ensure this was performant in practice what I did for each web request was to look up all the keys and values for the appropriate market and populate a dictionary object. The look-up was cached using so I was only hitting the database when I needed to rather than on every request. I then created a base view model that all other view mo