Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Beginning ASP.NET Security
This is the forum to discuss the Wrox book Beginning ASP.NET Security by Barry Dorrans; ISBN: 978-0-470-74365-2
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET Security section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Display Modes
  #1 (permalink)  
Old August 5th, 2010, 01:22 AM
Authorized User
 
Join Date: Nov 2009
Location: Portsmouth,NH
Posts: 22
Thanks: 1
Thanked 3 Times in 3 Posts
Send a message via Yahoo to msherburne84
Default CH 4 CSRF

I'm trying to go along with the CSRF example. I'm running .NET 4.0 and have changed a few of the module settings in the web.config file

Code:
      <add name="ScriptModule" preCondition="managedHandler"
           type="System.Web.Handlers.ScriptModule,
           System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
this is the public token from the 4.0 version of system.web.extensions. I'm not sure if this is my issue or what. I'm not initializing the AntiCSRF assembly at all.
  #2 (permalink)  
Old August 5th, 2010, 01:42 AM
Wrox Author
Points: 39, Level: 1
Points: 39, Level: 1 Points: 39, Level: 1 Points: 39, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Default

Oh, yes, that would be the wrong initialization string.

You'll need to use

Code:
<system.webmodules>
  ....
  <modules>
    <add name="AntiCSRF.AntiCSRF" preCondition="managedHandler"
 type="AntiCSRF.AntiCSRF, AntiCSRF"/>
  </modules>
  ....
</system.webmodules>
I'll get that put in the errata
  #3 (permalink)  
Old August 5th, 2010, 02:13 AM
Authorized User
 
Join Date: Nov 2009
Location: Portsmouth,NH
Posts: 22
Thanks: 1
Thanked 3 Times in 3 Posts
Send a message via Yahoo to msherburne84
Default

I just tried that and that is not working. I added in the code as you said with
system.webmodules, but can't seem to find out what system.webmodules is.

This is what I have in my web.config file
Code:
  <system.webServer>
    <modules>
      <add name="AntiCSRF.AntiCSRF" preCondition="managedHandler"
   type="AntiCSRF.AntiCSRF, AntiCSRF"/>
    </modules>
  </system.webServer>
This is what I have for AntiCSRF.cs

Code:
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Text;
using System.Web;
using System.Web.UI;

namespace AntiCSRF
{
    class AntiCSRF : IHttpModule
    {
        public AntiCSRF()
        {
        }

        #region IHttpModule Members
        public void Dispose()
        {
            
        }

        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders);
            context.PreRequestHandlerExecute += new EventHandler(context_PreRequestHandlerExecute);
        }
        #endregion

        #region Event Handlers
        void context_PreRequestHandlerExecute(object sender, EventArgs e)
        {            
        }

        void context_PreSendRequestHeaders(object sender, EventArgs e)
        {            
        }

        private static void PreRequestHandlerExecute(object source, EventArgs eventArgs)
        {
            HttpApplication application = (HttpApplication)source;
            HttpContext context = application.Context;
            if (context.Handler != null)
            {
                Page page = context.Handler as Page;
                if (page != null)
                {
                    page.PreRender += PagePreRender;
                }
            }
        }

        private static void PagePreRender(object source, EventArgs eventArgs)
        {
            Page page = source as Page;
            if (page != null && page.Form != null)
            {
                string csrfToken;
                HttpContext context = HttpContext.Current;
                if (context.Request == null ||
                    context.Request.Cookies == null ||
                    context.Request.Cookies["__CSRFCOOKIE"] == null ||
                    string.IsNullOrEmpty(context.Request.Cookies["__CSRFCOOKIE"].Value))
                {
                    csrfToken = Guid.NewGuid().ToString("D", CultureInfo.InvariantCulture);
                    context.Items["Wrox.CSRFContext"] = csrfToken;
                }
                else
                    csrfToken = page.Request.Cookies["__CSRFCOOKIE"].Value;

                ObjectStateFormatter stateFormatter = new ObjectStateFormatter();
                page.ClientScript.RegisterHiddenField("__CSRFTOKEN", stateFormatter.Serialize(csrfToken));
            }
        }

        #endregion
    }
}
I also took your suggestion to look over Leveraging_HTTPModules_for_Better_ASPNET_Applicati on and couldn't find any reference to system.webmodules either. Maybe I'm missing something.
Thanks again in advance.
  #4 (permalink)  
Old August 5th, 2010, 02:19 AM
Wrox Author
Points: 39, Level: 1
Points: 39, Level: 1 Points: 39, Level: 1 Points: 39, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Default

If you're using IIS7 it will be at the bottom of the web.config.

You might want to pick up the latest code from http://anticsrf.codeplex.com/

If you're using IIS6 then it doesn't exist/get used; use the older style in system.web. In either case you'll see example ones in the web.config created by VW
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Search ch 13, ch 16 sporik BOOK: Beginning PHP 6, Apache, MySQL 6 Web Development ISBN: 9780470391143 0 October 27th, 2009 05:44 PM
Ch 2 - Ex 2 jkiernander BOOK: Ivor Horton's Beginning Visual C++ 2005 0 December 29th, 2007 08:47 PM
Ch 2 questions GrantSlade BOOK: Beginning CSS: Cascading Style Sheets for Web Design ISBN: 978-0-7645-7642-3 7 May 12th, 2006 01:27 PM
Ch. 4 & Ch. 12 athena BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 0 July 23rd, 2004 11:54 AM
ch. 2 with C# Justin BOOK: Beginning ASP.NET 1.0 1 July 10th, 2003 04:59 PM



All times are GMT -4. The time now is 07:09 AM.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.