ASP.net Web Forms and Asp.net MVC Security

Question

First of all I know this is a very popular topic nowadays, and this question is asked many and many times.

But here I'm not asking which is better, since it's very clear that asp.net MVC is better than web forms.

The question here is, what to do with our already written asp.net web form it's neither small nor big, we can call it of medium size.

Is it really deserve to completely rewrite such application with asp.net MVC? The main thing we are concentrating on is Security.

So if MVC is better than web forms in terms of Performance a little bit only, it would'nt be a big matter. But if it is better than web forms in terms of security, even a little bit, it's really very important for us.

So that's what I want to know: what are the security advantages of wasting a lot of time and money to rewrite an already written web forms application with MVC?

Answer 1

Wasting "a lot of time and money" on rewriting well-done web forms code in MVC makes no sense whatsoever. To rewrite any code, you need a compelling reason.

Who said that MVC was "clearly better than web forms"? It is neither better in performance nor in security. What it's better in thought, is design.

MVC's design encourages the developers to leave the business logic out of the presentation. Although you can also move the logic out of the presentation in web forms too, its design does not encourage that because it takes much more efforts. The other way is also true, some developers still add logic to the view in MVC which defeats the purpose. Another issue is that MVC does nothing to also encourage the separation of business and data layer leaving that entirely up to the developers, so some developers keep all the logic in the controllers.

The separation of logic from the presentation makes the code much easier to test and much easier to divide between the UI designers and app developers.

All of that is very important to most projects, but not enough reason to rewrite code that's doing its job with no major issues. For new projects, it's definitely worth the consideration.

There are some other advantages to MVC, but in my opinion the above two are the most important. Also there are some advantages to web forms and they can be faster to develop certain app with, so we cannot say that MVC is absolutely better than web forms, although the advantages of MVC outweigh the advantages of web forms for most projects (not all), in my opinion.

Answer 2

if we leave the many advantages that MVC have over the web forms and the the control that you have over the application and talk about the Business part. The question should be changed to these two:

1. Do you want an future proof application which is using much more stable framework over which the developers can have full control?
2. Do you want this application just to run till it can?

if your application is going to evolve and will have new versions, functionalities and etc. Then yes you should However if you have static application that will not have big changes ( maybe some minor upgrades and bug fixes) then the investment is not worthy.

the security is not the question because the same security can be achieved by both technologies.