Breakpoint in ASP.NET MVC View not hit when using RazorGenerator

If your breakpoints in an ASP.NET MVC view are not hit: Check if you are using RazorGenerator for this particular view:

Screenshot of ASP.NET MVC view Properties. Custom tool set to RazorGenerator
RazorGenerator enabled for ASP.NET MVC view

Fix: Temporarily disable Razor Generator removing the “RazorGenerator” text from the Custom Tool property. Make sure to put it back in after your debugging session.


Show PDF in browser instead of downloading (ASP.NET MVC) without JavaScript

If I want to display a PDF file in the browser instead of downloading a copy, I can tell the browser via an additional Content-Disposition response header.

This code example assumes that the file content is available as byte-array, reading the content from a database, for example.

// Get action method that tries to show a PDF file in the browser (inline)
public ActionResult ShowPdfInBrowser()
  byte[] pdfContent = CodeThatRetrievesMyFilesContent();

  if (pdfContent == null)
    return null;

  var contentDispositionHeader = new System.Net.Mime.ContentDisposition
    Inline = true,
    FileName = "someFilename.pdf"

  Response.Headers.Add("Content-Disposition", contentDispositionHeader.ToString());
  return File(pdfContent, System.Net.Mime.MediaTypeNames.Application.Pdf);

Please keep in mind that ultimately we don’t have control over the browser. We can politely request to show the PDF inline, but this can be overridden by a user configuration, for example.

ASP.NET MVC Identity whitelisting vs blacklisting – Don’t trust yourself

Just imagine 2 different scenarios in a ASP.NET MVC app using ASP.NET Identity. In both cases you have an application that requires the user to be logged in.

Scenario 1: Blacklisting

Your authentication-default is “allow anonymous”, which is the default of the ASP.NET MVC 5 template. You create a new Action Method on a controller and forget to add the [authorize] attribute.

Resulting Issue: You have a potential security hole in your application that may remain undetected and possibly exploited.

Scenario 2: Whitelisting

Your global authentication-default is “requires authentication”. You create a new action method on a controller that should be accessible without authentication and forget to add the [AllowAnonymous] attribute.

Resulting issue: You try your application, can’t enter that new page and fix it. In the worst case you didn’t do your homework and a customer/user finds the bug and complains to you.

Which issue would you rather have to deal with?

I personally prefer the whitelisting approach and err on the side of caution.

See also: Enable global authentication with ASP.NET MVC and Identity


Enable global authentication with ASP.NET MVC and Identity

To require user authentication for all action methods on all controllers please add theĀ AuthorizeAttribute class to the App_Start/FilterConfig.cs file:

public static void RegisterGlobalFilters(GlobalFilterCollection filters) 
    filters.Add(new AuthorizeAttribute()); 

To configure an exception and allow anonymous access to an action method: Decorate it with theĀ AllowAnonymousattribute:

public ActionResult Index()
    // do stuff