I need to implement cross site request forgery (CSRF) protection in ASP.NET webform

Question

1.00/5 (1 vote)

See more:

I need to implement CSRF in asp.net web forms to prevent unwanted cross site request.

[edit]Added the word "Protection" to subject line to prevent "malicious coder" kicking, and added code block to "What have you tried" section - OriginalGriff[/edit]

What I have tried:

I have tried below code to implement CSRF but it did not work for me.

C#

public class CSRFBASE : System.Web.UI.Page
    {
        private const string AntiXsrfTokenKey = "__AntiXsrfToken";
        private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
        private string _antiXsrfTokenValue;
        protected void Page_Init(object sender, EventArgs e)
        {
            // The code below helps to protect against XSRF attacks
            var requestCookie = Request.Cookies[AntiXsrfTokenKey];
            Guid requestCookieGuidValue;
            if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
            {
                // Use the Anti-XSRF token from the cookie
                _antiXsrfTokenValue = requestCookie.Value;
                Page.ViewStateUserKey = _antiXsrfTokenValue;
            }
            else
            {
                // Generate a new Anti-XSRF token and save to the cookie
                _antiXsrfTokenValue = Guid.NewGuid().ToString("N");
                Page.ViewStateUserKey = _antiXsrfTokenValue;

                var responseCookie = new HttpCookie(AntiXsrfTokenKey)
                {
                    HttpOnly = true,
                    Value = _antiXsrfTokenValue
                };
                if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
                {
                    responseCookie.Secure = true;
                }
                Response.Cookies.Set(responseCookie);
            }

            Page.PreLoad += master_Page_PreLoad;
        }

        protected void master_Page_PreLoad(object sender, EventArgs e)
        {
            if (!IsPostBack)
            {
                // Set Anti-XSRF token
                ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
                ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;
            }
            else
            {
                // Validate the Anti-XSRF token
                if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
                    || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
                {
                    throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
                }
            }
        }
    }

Posted 9-Aug-17 3:14am

Dev_TechnoLabs

Updated 22-Apr-20 20:52pm

OriginalGriff

v2

Add a Solution

Comments

Kornfeld Eliyahu Peter 9-Aug-17 9:17am

Do you mean you want to implement protection from CSRF?!

Dev_TechnoLabs 9-Aug-17 9:18am

Yes

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Member 12718153 · Answer 1 · 2020-04-22T20:53:00

Use the below code:

In Design Page:
<div id="DivCSRF" runat="server"></div>

In Code Page:
Protected Sub Page_Init(ByVal sender As Object, ByVal e As EventArgs)
        DivCSRF.InnerHtml = AntiForgery.GetHtml().ToString()
    End Sub

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        DivCSRF.InnerHtml = AntiForgery.GetHtml().ToString()
        If IsPostBack Then
            Try
                AntiForgery.Validate()
            Catch ex As Exception
                Response.Redirect("~/Unauthorize.aspx", False)
                Exit Sub
            End Try
        End If

Kornfeld Eliyahu Peter · Answer 2 · 2017-08-09T03:20:00

Solution 1

Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper[^]
Preventing Cross-Site Request Forgery (CSRF) Attacks in ASP.NET Web API | Microsoft Docs[^]
Preventing Cross-Site Request Forgery (XSRF/CSRF) Attacks in ASP.NET Core | Microsoft Docs[^]
[^]
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - OWASP[^]
webforms - preventing cross-site request forgery (csrf) attacks in asp.net web forms - Stack Overflow[^]

Posted 9-Aug-17 3:20am

Kornfeld Eliyahu Peter

Comments

Dev_TechnoLabs 9-Aug-17 9:27am

most of the links are related to MVC. not useful for me

Kornfeld Eliyahu Peter 9-Aug-17 9:31am

Learning is always useful!!! If not other, than the existence of other technologies beyond WebForms...
And the last two (especially the last) is exactly what you are looking for... including exact code sample...

F-ES Sitecore 9-Aug-17 9:31am

So google "asp.net csfr protection webforms" or ""asp.net csfr protection webforms -mvc". Believe it or not you're not the first person to want to do this so the code is readily available if you just look for it.

Dev_TechnoLabs 6-Oct-17 7:24am

@F-ES Sitecore thanks for your good suggestion. I will definitely do that.