Last post Jul 27, 2017 11:01 AM by Billy Liu
Jul 21, 2017 03:30 PM|dipeshnepal|LINK
We use old shool way to logging in users to our system, we do not set or use Context.User.Identity.Name, can I change my code set the username I have after authentication to achieve the same result or this is another big loophole I have opened by using the
username. We do not set or have code to do the Form.Authen.. to set the identity names.
Private Sub FrameworkPage_PreRender(sender As Object, e As EventArgs) Handles Me.PreRender
Dim userName As String
If IsAuthenticated() Then
'userName = Context.User.Identity.Name ' auto generated code way
userName = CurrentUser.UserName '
userName = ""
If Not IsPostBack Then
' Set Anti-XSRF token
ViewState(AntiXsrfTokenKey) = Page.ViewStateUserKey
ViewState(AntiXsrfUserNameKey) = If(userName, [String].Empty)
' Validate the Anti-XSRF token
If DirectCast(ViewState(AntiXsrfTokenKey), String) <> _antiXsrfTokenValue OrElse
DirectCast(ViewState(AntiXsrfUserNameKey), String) <> (If(userName, [String].Empty)) Then
Throw New InvalidOperationException("Validation of Anti-XSRF token failed.")
Jul 24, 2017 05:53 AM|Billy Liu|LINK
Do you want to prevent the username changed by CSRF attack?
How do you set the username? Do you set by requests?
If so, the Anti-CSRF token can prevent the username changed by the attacker.
The Anti-CSRF token is used to prevent an attacker fake the request.
I think it is fine that you use your username.
You could refer to link below for more information about Anti-CSRF:
Jul 24, 2017 01:54 PM|dipeshnepal|LINK
authentication is done against database from user name and password typed by the end users, the userid, username are some other fields are added on the season almost all checks are based on userid that is on the session, username is read when account setting
is acceded and may be in few different places.
Jul 27, 2017 11:01 AM|Billy Liu|LINK
According to your description, I don't think there is a problem with your own username and Anti-XSRF token.