How do I implement CSRF protection in my application

Question

0.00/5 (No votes)

See more:

I have a HTML page with Form in my application. The HTML page has submit button which submit to a handler (ashx) or to an aspx page in my same web application.

I want to implement CSRF protection for my application. Any suggestion or guidance regarding this is appreciated.

What I have tried:

I thought about getting some token from the server and storing in the HTML page. When the form will be submitted to the server I will verify the validity of the token in the ASHX/ASPX page. How should I generate the token in server, store it in the server and validate again in the server when the form is submitted. I am using database to store session information.

Posted 9-Jul-17 20:18pm

Member 13301385

Add a Solution

Comments

Atlapure Ambrish 10-Jul-17 7:45am

For CSRF refer below URLs..
https://software-security.sans.org/developer-how-to/developer-guide-csrf
https://stackoverflow.com/questions/29939566/preventing-cross-site-request-forgery-csrf-attacks-in-asp-net-web-forms

As you are thinking to generate a token and store it on server to validate later on, I think you can do that. The approach should be generate a GUID (or this could be any value of you choice, would be more beneficial if you could make it configurable) and then encrypt it before storing on server using some algorithm and then add this to a hidden field on your form. Encrypting would add an extra validation level.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)