Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Nov 08, 2012 01:58 PM by BrockAllen
Nov 07, 2012 03:41 AM|LINK
I need to prevent Cross site request forgery (CSRF) attacks on my web application (.net version 3.5)) Please let me know a simple way to implement it. And I need to do it for every page in my application.
Note: I tried by setting enableViewStateMac = false in web.config and asigning a unique value to "ViewStateUserKey" in page OnInit. But later we decided not go with this solution, as setting "enableViewStateMac = false" itself in production environment is
a security flaw.
Nov 07, 2012 05:07 AM|LINK
You can do using Referal URL, when request come in any page you will get Referal URL check weather URL is of Same domain or not if it is of different doamin, you can redirect to some page where can have error page.
let me know if any query
Nov 07, 2012 06:18 AM|LINK
Thank you very much for reply. I wil try your solution now. But in the mean time please let me are
you refferring to "Request.UrlReferrer". Do I need to check Request.UrlReferrer against domain name ?
I will try this and let you know the results.
Nov 07, 2012 07:09 AM|LINK
Yes, you have to check domain name into Request.UrlReferre
Nov 07, 2012 01:33 PM|LINK
Referrer isn't perfect. And yes, you want enableViewStateMac to be enabled.
There's a library on codeplex that provides a better mechanism:
Nov 08, 2012 05:28 AM|LINK
Thanks you BrockAllen for your reply.
I know Referrer is not perfect. I thought of using library given in http://anticsrf.codeplex.com/, but as per my company policies I am not supposed to user third party dll's unless we buy license or we need to have code of that dll. So can please let me
know whether code is available for library given in http://anticsrf.codeplex.com/.
Nov 08, 2012 01:58 PM|LINK
The code is right there on the link I gavce you: