Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > ASP.NET and ASP > Other ASP.NET > BOOK: Beginning ASP.NET Security
Password Reminder
Register
Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Beginning ASP.NET Security
This is the forum to discuss the Wrox book Beginning ASP.NET Security by Barry Dorrans; ISBN: 978-0-470-74365-2
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET Security section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old January 20th, 2011, 02:28 PM
Registered User
 
Join Date: Aug 2009
Posts: 5
Thanks: 0
Thanked 2 Times in 2 Posts
Default Chapter 4. AntiCSRF httpModule not working

Hi

I've followed the instructions in the book seemingly correctly, but my aspx page does not contain the hidden field after I have created a reference to the AntiCSRF class library

Code:
 
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web;
using System.Web.UI;
using System.Globalization;

namespace AntiCSRF
{
    class AntiCSRF : IHttpModule
    {
        #region IHttpModule Members

        public void Dispose()
        {
            
        }

        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += new EventHandler(PreSendRequestHeaders);
            context.PreRequestHandlerExecute += new EventHandler(PreRequestHandlerExecute);
        }

        #endregion

        private static void PreSendRequestHeaders(object source, EventArgs args)
        {

        }

        private static void PreRequestHandlerExecute(object source, EventArgs args)
        {
            HttpApplication application = (HttpApplication)source;
            HttpContext context = application.Context;
            if (context.Handler != null)
            {
                Page page = context.Handler as Page;
                if (page != null)
                {
                    page.PreRender += PagePreRender;
                }
            }

        }

        private static void PagePreRender(object source, EventArgs args)
        {
            Page page = source as Page;
            if (page != null && page.Form != null)
            {
                string csrfToken;
                HttpContext context = HttpContext.Current;
                if (context.Request == null || 
                    context.Request.Cookies == null || 
                    context.Request.Cookies["__CSRFCOOKIE"] == null ||
                    string.IsNullOrEmpty(context.Request.Cookies["__CSRFCOOKIE"].Value))
                {
                    csrfToken = Guid.NewGuid().ToString("D", CultureInfo.InvariantCulture);
                    context.Items["Wrox.CSRFContext"] =  csrfToken;
                }
                else
                {
                    csrfToken = page.Request.Cookies["__CSRFCOOKIE"].Value;
                    ObjectStateFormatter stateFormatter = new ObjectStateFormatter();
                    page.ClientScript.RegisterHiddenField("__CSRFTOKEN", 
                        stateFormatter.Serialize(csrfToken));
                }
            }
        }
    }
}
I am using Visual Studio 2008. My Web.config looks like

Code:
<httpModules>
       <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
       <add name="AntiCSRF" type="AntiCSRF.AntiCSRF, AntiCSRF"/>
</httpModules>
Any idea what I might be missing?

Cheers

Stewart
Reply With Quote
The Following User Says Thank You to digitalsoul For This Useful Post:
  #2 (permalink)  
Old January 21st, 2011, 07:54 AM
Registered User
 
Join Date: Aug 2009
Posts: 5
Thanks: 0
Thanked 2 Times in 2 Posts
Default Solved it. Appears to be code error in Kindle edition

In the Kindle edition the lines:

Code:
 
ObjectStateFormatter stateFormatter = new ObjectStateFormatter();
page.ClientScript.RegisterHiddenField("__CSRFTOKEN", 
                        stateFormatter.Serialize(csrfToken));
Only get run if __CSRFCOOKIE already has a value, which it doesnt on first request.

If I move these lines outside of the if else block then the code works. Could the author confirm if this error does exist?

Thanks
Reply With Quote
  #3 (permalink)  
Old January 21st, 2011, 09:28 AM
Wrox Author
Points: 39, Level: 1
Points: 39, Level: 1 Points: 39, Level: 1 Points: 39, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Default

I'd suggest pulling the code from anticsrf.codeplex.com, it's a more fleshed out version of the module.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chapter 7 DynamicMenuItemStyle not working robbiethompson73 BOOK: Beginning ASP.NET 3.5 : in C# and VB BOOK ISBN: 978-0-470-18759-3 2 July 27th, 2011 01:45 PM
HTTPModule Chapter 27 sherbug BOOK: Professional ASP.NET 3.5 : in C# and VB ISBN: 978-0-470-18757-9 4 August 21st, 2010 03:03 PM
Working through Chapter 1 Geoffrey Chambers BOOK: Beginning SharePoint 2007: Building Team Solutions with MOSS 2007 ISBN: 978-0-470-12449-9 1 January 2nd, 2010 11:38 PM
httpmodule to count number of clicks a specific li Sheraz Khan ASP.NET 2.0 Professional 0 November 15th, 2008 02:35 PM



All times are GMT -4. The time now is 08:46 AM.


Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.