In this post I will explain how to fix CSRF attack in ASP.Net Web Forms application. I found many articles talking about how to implement this in MVC applications, but I face real trouble to develop this in Web Forms. I found following solution worked for me.
We have to write the following code in site's Master page, and this solution will apply CSRF protection to all content pages that are inherit from this Master page. Also make sure all requests making data modifications must use the ViewState.
Here is the code we need to write in Master Page code-behind file.
public partial class SiteMaster : MasterPage
{
private const string AntiXsrfTokenKey = "__AntiXsrfToken";
private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
private string _antiXsrfTokenValue;
protected void Page_Init(object sender, EventArgs e)
{
//check if we already have Anti-XSS cookie, then put it in page's global variable
var requestCookie = Request.Cookies[AntiXsrfTokenKey];
Guid requestCookieGuidValue;
if (requestCookie != null
&& Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
{
_antiXsrfTokenValue = requestCookie.Value;
Page.ViewStateUserKey = _antiXsrfTokenValue;
}
//If we do not found CSRF cookie, then this is a new session, so create a new cookie with Anti-XSRF token
else
{
_antiXsrfTokenValue = Guid.NewGuid().ToString("N");
Page.ViewStateUserKey = _antiXsrfTokenValue;
var responseCookie = new HttpCookie(AntiXsrfTokenKey)
{
HttpOnly = true,
//Add the Anti-XSRF token to the cookie value
Value = _antiXsrfTokenValue
};
//If we are using SSL, the cookie should be set to secure
if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
{
responseCookie.Secure = true;
}
//Add the CSRF cookie to the response
Response.Cookies.Set(responseCookie);
}
Page.PreLoad += master_Page_PreLoad;
}
protected void master_Page_PreLoad(object sender, EventArgs e)
{
//During the initial page request, Add the Anti-XSRF token and user name to the ViewState
if (!IsPostBack)
{
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;
}
//During all post back requests to the page, Validate the Anti-XSRF token
else
{
if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
|| (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
{
throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
}
}
}
}
If Context.User.Identity.Name is empty?
In case if it does not work as per the expectations, one reason could be that the Context.User.Identity.Name is containing empty string not the real user name.
To fix this make sure you need authentication mode set to windowsAuthentication in web.config. and have
disabled the anonymous authentication. Hence all the authentication mechanisms are disabled, except for the Windows Authentication.
Another alternative could be if you are manually maintaining login user's data in some Session variable, then replace that statement to read user name from that Session variable rather than Context.User.Identity.Name.
For example, after making this change of reading user name from Session variable, the code listing of master_Page_PreLoad event handler will become similar to this:
protected void master_Page_PreLoad(object sender, EventArgs e)
{
//During the initial page request, Add the Anti-XSRF token and user name to the ViewState
string userName = String.Empty;
if(Session["UserName"] != null)
{
userName = Session["UserName"].ToString();
}
if (!IsPostBack)
{
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
ViewState[AntiXsrfUserNameKey] = userName;
}
//During all post back requests to the page, Validate the Anti-XSRF token
else
{
if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
|| (string)ViewState[AntiXsrfUserNameKey] != userName)
{
throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
}
}
}
Thats all you need. Now all the content pages that are inherited from this master page should be able to prevent CSRF attacks.
I hope this helps some of you who get stuck with a similar problem.
No comments:
Post a Comment