How to store and validate anti xsrf token without showing in the cookie headers in ASP.NET with C#?

Question

1.00/5 (1 vote)

See more:

I am doing CSRF Attack prevention in asp.net with c#. Currently I am setting the AntiXSRF token value is generated via GUID and stored in the response cookie headers. I want to store/validate the CSRF Token without storing in the request/response cookie headers.

What I have tried:

Code is as below:

var requestCookie = Request.Cookies[AntiXsrfTokenKey];
          Guid requestCookieGuidValue;
          if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
          {
              // Use the Anti-XSRF token from the cookie
              _antiXsrfTokenValue = requestCookie.Value;
              Page.ViewStateUserKey = _antiXsrfTokenValue;
          }
          else
          {
              // Generate a new Anti-XSRF token and save to the cookie
              _antiXsrfTokenValue = Guid.NewGuid().ToString("N");
              Page.ViewStateUserKey = _antiXsrfTokenValue;

              var responseCookie = new HttpCookie(AntiXsrfTokenKey)
              {
                  HttpOnly = true,
                  Value = _antiXsrfTokenValue
              };
              if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
              {
                  responseCookie.Secure = true;
              }
              Response.Cookies.Set(responseCookie);
          }

Posted 17-Jan-22 1:30am

Member 15421351

Updated 17-Jan-22 1:32am

v2

Add a Solution

Comments

Richard Deeming 17-Jan-22 8:00am

Why? That's precisely how every anti-XSRF system works, so what makes you think it's not appropriate for your site?

Even if you move the token into session storage, you still need to send a cookie to identify the session, so you don't gain anything.

If you're worried about cookies being stolen or intercepted, make sure your site is only served over HTTPS. That way, nobody sat between your server and your user can see or tamper with the traffic.

Member 15421351 17-Jan-22 10:04am

I want to hide the cookie for Antixsrf token from the response headers section even without using https.

Richard Deeming 17-Jan-22 10:27am

Why? You want to prevent cross-site request forgery, but you DON'T want to protect your users' data in-transit?

Just ditch the XSRF protection if you really care so little about your users...

Richard Deeming 17-Jan-22 10:32am

Troy Hunt: Here's Why Your Static Website Needs HTTPS[^]

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)