NashTech Insights

Common Misconceptions in C# and .NET – Relying On Client Validation

Hieu Nguyen
Hieu Nguyen
Table of Contents
Coding on a computer screen

Relying solely on client-side validation should be strictly avoided. It is not a reliable approach as skilled users can easily manipulate the client-side code to bypass the validation rules. Let’s examine example to illustrate this point.

In our scenario, we have an Razor-page application with login form. The form utilizes bind property attributes in the code-behind to bind the form values to attributes. We have defined various validation attributes such as Required and Min-length. Core simplifies our task by automatically generating the necessary JavasScript code for validation when we use the JQuery Unobtrusive Validation library.

In the current implementation, the form submission does not include the authentication step. If the form is successfully submitted, It redirects to the Privacy page. Let’s observe what happens when we interact with the form.

When we attempt to submit the form, we notice that the Unobtrusive library automatically prevents the form submission.

However, as a skilled user, we understand that any client-side validation can by bypassed. It is a straightforward process. By opening the browser’s developer tool (using F12 key), accessing the “form” in the “elements“, navigating to “event listeners“, specifically the “submit” event, we can remove the form-submit-handler.

Once this modification is made, subsequent form submissions no longer undergo validation, and we are redirected to the next Privacy-policy page.

This example clearly demonstrates how easily client-side validation can be circumvented unless robust server-side protection is in place. To illustrate the significance of server-side validation in addition to client-side validation, let’s enable server-side protection and repeat the experiment.

After enabling server-side protection and relaunching the application, we revisit the same page and attempt the previous steps. We remove the event handler and submit the form again.

This time, the correct validation messages are displayed and the validation Javascript library is automatically bound to the Form’s submit event again by the server-side rendering, the we are prevented form accessing the next Privacy screen. This effectively showcases the ease of setting up client and server-side validation with core and emphasizes the importance of performing server-side validation alongside client-side validation.

To ensure comprehensive validation, it is crucial always to validate on the server-side. Clien-side as an initial layer, but it must be reinforced by robust server-side validation to maintain the integrity and security of the application.

Hieu Nguyen

Hieu Nguyen

Hieu is an Engineering Manager at NashTech with 20+ years of experience in software development, he is specializing in the Microsoft stack have in-depth knowledge and experience with Microsoft technologies such as .NET framework, C#, ASP.NET, SQL Server, Azure, and Visual Studio. He is in a leadership role that involves overseeing and guiding the technical teams involved in software engineering projects.

Leave a Comment

Your email address will not be published. Required fields are marked *

Suggested Article

%d bloggers like this: