Anti CSRF Token – ASP.NET
- Download AntiCSRF from the CSRF module for ASP.NET.
- In Project place Idunno.AntiCsrf.dll in Bin folder.
- Add a reference to the module into your web.config
For IIS6/IIS7 in Classic ASP.NET mode:
<system.web> <httpModules> <add name="AntiCSRF" type="Idunno.AntiCsrf.AntiCsrfModule, Idunno.AntiCsrf"/> </httpModules> </system.web>
For IIS7 in integrated pipeline mode:
<system.webmodules> <modules> <add name="AntiCSRF" type="Idunno.AntiCsrf.AntiCsrfModule, Idunno.AntiCsrf"/> </modules> </system.webmodules>
4. Add the following settings to web.config
<configuration> <configSections> <section name="csrfSettings" type="Idunno.AntiCsrf.Configuration.CsrfSettings, Idunno.AntiCsrf" /> </configSections> <csrfSettings cookieName="__CSRFCOOKIE" formFieldName="__CSRFTOKEN" detectionResult="RaiseException" errorPage="" /> </configuration>
5. Add the following codes in Page_Load Event.
protected void Page_Load(object sender, EventArgs e) { string page_name = System.IO.Path.GetFileName(System. Web.HttpContext.Current.Request.Url.AbsolutePath); string page_token = page_name + "_ID"; Session[page_token] = CSRF_Token; HiddenField1.value = CSRF_Token; }
6. Add the following codes in Any Event.
protected void Button1_Click(object sender, EventArgs e) { string Page_Token = System.IO.Path.GetFileName(System.Web.HttpContext.Current.Request.Url.AbsolutePath)+"_ID"; if (HiddenField1.Value.ToString() != Session[Page_Token].ToString()) { Session.Abandon(); Session.Clear(); Response.Redirect("default.aspx"); } }
References
http://anticsrf.codeplex.com/
http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks
https://www.owasp.org/index.php/.Net_CSRF_Guard
The above code doesn’t compile. In the page load, the variable CSRF_Token isn’t defined. Where is the variable coming from and value coming from?
//Create a unique and random string
string CSRF_Token = System.Guid.NewGuid().ToString();