www.webdeveloper.com
Results 1 to 5 of 5

Thread: Preventing CSRF in ASP

  1. #1
    Join Date
    Aug 2009
    Posts
    2

    Unhappy Preventing CSRF in ASP

    Guys,
    I have an classic asp page which has a form submitting to itself. I have to prevent CSRF in the page. So, I went with using a hidden random variable in the form and a session variable to store it. Here is similar code.

    This works fine unless user clicks back button.If back button is clicked, Somehow the session and form value don't match for first time (clicking on Add button). Next Clicking on Add works fine.

    Please help me. I got Stuck here.

    Any knowledge regarding session and back button is appreciated.


    mypage.asp
    ------------
    <html>
    <body>

    <%
    if(request.form("add")="true") then
    'here is the anti-csrf check
    if(Int(session.Contents("uid"))=Int(request.form("uid"))) then

    'Do some Critical DB operations
    end if

    end if

    %>
    <%
    randomize
    uid=rnd*10000+rnd*9
    session("uid")=uid
    %>
    <form name="f1" action="mypage.asp" method="POST">
    <input type="text" name="name"/>
    <input type="hidden" name="add" value="true"/>
    <input type="hidden" name="uid" value="<%=uid%>"/>
    </form>

    </body>
    </html>

  2. #2
    Join Date
    Aug 2009
    Location
    England
    Posts
    29
    I've never tried before, but I'm under the understanding that the Back button won't submit any data, and any call to request.form will return null, especially on the first page where no data has been submitted yet. Can you show a link to the site?

  3. #3
    Join Date
    Dec 2007
    Location
    Dayton, OH
    Posts
    390
    I don't think that you are going about this the write way. What I would do is generate a random number and store it in the session as well as on the form. Then when the form is submitted, make sure the 2 match.
    It's truly shameful that I have to tell people that they are asking .NET questions in a classic ASP board. . .

  4. #4
    Join Date
    Aug 2009
    Posts
    2
    request.form("add") returns null when form is not submitted.when user clicks Add button request.form("add") returns true and some db operations get processed.

    Please help if have any idea of solving the problem.

  5. #5
    Join Date
    Feb 2007
    Location
    Gujranwala
    Posts
    104
    When you hit back button, it first executes
    if(request.form("add")="true") then
    which is "False" or the value of "add" becomes NULL and thus it does not excutes CRSF.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles