Thread: CH 4 CSRF
View Single Post
  #3 (permalink)  
Old August 5th, 2010, 01:13 AM
msherburne84 msherburne84 is offline
Authorized User
 
Join Date: Nov 2009
Location: Portsmouth,NH
Posts: 22
Thanks: 1
Thanked 3 Times in 3 Posts
Send a message via Yahoo to msherburne84
Default

I just tried that and that is not working. I added in the code as you said with
system.webmodules, but can't seem to find out what system.webmodules is.

This is what I have in my web.config file
Code:
  <system.webServer>
    <modules>
      <add name="AntiCSRF.AntiCSRF" preCondition="managedHandler"
   type="AntiCSRF.AntiCSRF, AntiCSRF"/>
    </modules>
  </system.webServer>
This is what I have for AntiCSRF.cs

Code:
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Text;
using System.Web;
using System.Web.UI;

namespace AntiCSRF
{
    class AntiCSRF : IHttpModule
    {
        public AntiCSRF()
        {
        }

        #region IHttpModule Members
        public void Dispose()
        {
            
        }

        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders);
            context.PreRequestHandlerExecute += new EventHandler(context_PreRequestHandlerExecute);
        }
        #endregion

        #region Event Handlers
        void context_PreRequestHandlerExecute(object sender, EventArgs e)
        {            
        }

        void context_PreSendRequestHeaders(object sender, EventArgs e)
        {            
        }

        private static void PreRequestHandlerExecute(object source, EventArgs eventArgs)
        {
            HttpApplication application = (HttpApplication)source;
            HttpContext context = application.Context;
            if (context.Handler != null)
            {
                Page page = context.Handler as Page;
                if (page != null)
                {
                    page.PreRender += PagePreRender;
                }
            }
        }

        private static void PagePreRender(object source, EventArgs eventArgs)
        {
            Page page = source as Page;
            if (page != null && page.Form != null)
            {
                string csrfToken;
                HttpContext context = HttpContext.Current;
                if (context.Request == null ||
                    context.Request.Cookies == null ||
                    context.Request.Cookies["__CSRFCOOKIE"] == null ||
                    string.IsNullOrEmpty(context.Request.Cookies["__CSRFCOOKIE"].Value))
                {
                    csrfToken = Guid.NewGuid().ToString("D", CultureInfo.InvariantCulture);
                    context.Items["Wrox.CSRFContext"] = csrfToken;
                }
                else
                    csrfToken = page.Request.Cookies["__CSRFCOOKIE"].Value;

                ObjectStateFormatter stateFormatter = new ObjectStateFormatter();
                page.ClientScript.RegisterHiddenField("__CSRFTOKEN", stateFormatter.Serialize(csrfToken));
            }
        }

        #endregion
    }
}
I also took your suggestion to look over Leveraging_HTTPModules_for_Better_ASPNET_Applicati on and couldn't find any reference to system.webmodules either. Maybe I'm missing something.
Thanks again in advance.