Preventing CSRF in ASP
I have an classic asp page which has a form submitting to itself. I have to prevent CSRF in the page. So, I went with using a hidden random variable in the form and a session variable to store it. Here is similar code.
This works fine unless user clicks back button.If back button is clicked, Somehow the session and form value don't match for first time (clicking on Add button). Next Clicking on Add works fine.
Please help me. I got Stuck here.
Any knowledge regarding session and back button is appreciated.
'here is the anti-csrf check
'Do some Critical DB operations
<form name="f1" action="mypage.asp" method="POST">
<input type="text" name="name"/>
<input type="hidden" name="add" value="true"/>
<input type="hidden" name="uid" value="<%=uid%>"/>
I've never tried before, but I'm under the understanding that the Back button won't submit any data, and any call to request.form will return null, especially on the first page where no data has been submitted yet. Can you show a link to the site?
I don't think that you are going about this the write way. What I would do is generate a random number and store it in the session as well as on the form. Then when the form is submitted, make sure the 2 match.
It's truly shameful that I have to tell people that they are asking .NET questions in a classic ASP board. . .
request.form("add") returns null when form is not submitted.when user clicks Add button request.form("add") returns true and some db operations get processed.
Please help if have any idea of solving the problem.
When you hit back button, it first executes
which is "False" or the value of "add" becomes NULL and thus it does not excutes CRSF.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)