Click here to Skip to main content
15,883,870 members
Search within:


Articles / Web Development / ASP.NET
 

Preventive Method for URL Request Forgery- An Example with ASP.NET MVC

Rate me:
Please Sign up or sign in to vote.
4.75/5 (13 votes)
29 Nov 2010CPOL7 min read 75.7K   1.7K   33  
It is novel method to prevent the manipulation of parameter pass through the URL string
 
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using System.Collections;
using System.Security.Cryptography;

namespace SecureUrl.Models
{

    //The custom attribute to check the request coming from the site
    public class IsPostedFromThisSiteAttribute : AuthorizeAttribute
    {
        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            base.OnAuthorization(filterContext);
            // we have to call the base authorization to verufy the passwords n all
            if (filterContext.HttpContext != null)
            {
                if (filterContext.HttpContext.Request.UrlReferrer == null)
                    throw new System.Web.HttpException("Invalid submission");
                /*Add code here to check the domain name the request come from*/
            }
        }

    }
    public static class SecureUrlToken
    {
        //This method accepts the partial path, starts from the controller and end with the parameters. Also It accepts a password
        public static string generateUrlToken(string controllerName, string actionName, ArrayList argumentParams, string password)
        {
            string token = "";
            //The salt can be defined global
            string salt = "#testsalt";
            //generating the partial url
            string stringToToken = controllerName + "/" + actionName + "/";
            foreach (string param in argumentParams)
            {
                stringToToken += "/" + param;
            }
            //Converting the salt in to a byte array
            byte[] saltValueBytes = System.Text.Encoding.ASCII.GetBytes(salt);
            //Encrypt the salt bytes with the password
            Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(password, saltValueBytes);
            //get the key bytes from the above process
            byte[] secretKey = key.GetBytes(16);
            //generate the hash
            HMACSHA1 tokenHash = new HMACSHA1(secretKey);
            tokenHash.ComputeHash(System.Text.Encoding.ASCII.GetBytes(stringToToken));
            //convert the hash to a base64string
            token = Convert.ToBase64String(tokenHash.Hash);
            return token;
        }
    }
}

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Albin Abel
Software Developer
India India
I am developer in .Net and GIS. albin_gis@yahoo.com

Comments and Discussions

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 25 Nov 2010

Article Copyright 2010 by Albin Abel
Everything else Copyright © CodeProject, 1999-2024

Web03 2.8:2024-04-02:1