p2p.wrox.com Forums

p2p.wrox.com Forums (http://p2p.wrox.com/)
-   BOOK: Beginning ASP.NET Security (http://p2p.wrox.com/book-beginning-asp-net-security-548/)
-   -   CH 4 CSRF (http://p2p.wrox.com/book-beginning-asp-net-security/80384-ch-4-csrf.html)

msherburne84 August 5th, 2010 12:22 AM

CH 4 CSRF
 
I'm trying to go along with the CSRF example. I'm running .NET 4.0 and have changed a few of the module settings in the web.config file

Code:

      <add name="ScriptModule" preCondition="managedHandler"
          type="System.Web.Handlers.ScriptModule,
          System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>

this is the public token from the 4.0 version of system.web.extensions. I'm not sure if this is my issue or what. I'm not initializing the AntiCSRF assembly at all.

blowdart August 5th, 2010 12:42 AM

Oh, yes, that would be the wrong initialization string.

You'll need to use

Code:

<system.webmodules>
  ....
  <modules>
    <add name="AntiCSRF.AntiCSRF" preCondition="managedHandler"
 type="AntiCSRF.AntiCSRF, AntiCSRF"/>
  </modules>
  ....
</system.webmodules>

I'll get that put in the errata

msherburne84 August 5th, 2010 01:13 AM

I just tried that and that is not working. I added in the code as you said with
system.webmodules, but can't seem to find out what system.webmodules is.

This is what I have in my web.config file
Code:

  <system.webServer>
    <modules>
      <add name="AntiCSRF.AntiCSRF" preCondition="managedHandler"
  type="AntiCSRF.AntiCSRF, AntiCSRF"/>
    </modules>
  </system.webServer>

This is what I have for AntiCSRF.cs

Code:

using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Text;
using System.Web;
using System.Web.UI;

namespace AntiCSRF
{
    class AntiCSRF : IHttpModule
    {
        public AntiCSRF()
        {
        }

        #region IHttpModule Members
        public void Dispose()
        {
           
        }

        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders);
            context.PreRequestHandlerExecute += new EventHandler(context_PreRequestHandlerExecute);
        }
        #endregion

        #region Event Handlers
        void context_PreRequestHandlerExecute(object sender, EventArgs e)
        {           
        }

        void context_PreSendRequestHeaders(object sender, EventArgs e)
        {           
        }

        private static void PreRequestHandlerExecute(object source, EventArgs eventArgs)
        {
            HttpApplication application = (HttpApplication)source;
            HttpContext context = application.Context;
            if (context.Handler != null)
            {
                Page page = context.Handler as Page;
                if (page != null)
                {
                    page.PreRender += PagePreRender;
                }
            }
        }

        private static void PagePreRender(object source, EventArgs eventArgs)
        {
            Page page = source as Page;
            if (page != null && page.Form != null)
            {
                string csrfToken;
                HttpContext context = HttpContext.Current;
                if (context.Request == null ||
                    context.Request.Cookies == null ||
                    context.Request.Cookies["__CSRFCOOKIE"] == null ||
                    string.IsNullOrEmpty(context.Request.Cookies["__CSRFCOOKIE"].Value))
                {
                    csrfToken = Guid.NewGuid().ToString("D", CultureInfo.InvariantCulture);
                    context.Items["Wrox.CSRFContext"] = csrfToken;
                }
                else
                    csrfToken = page.Request.Cookies["__CSRFCOOKIE"].Value;

                ObjectStateFormatter stateFormatter = new ObjectStateFormatter();
                page.ClientScript.RegisterHiddenField("__CSRFTOKEN", stateFormatter.Serialize(csrfToken));
            }
        }

        #endregion
    }
}

I also took your suggestion to look over Leveraging_HTTPModules_for_Better_ASPNET_Applicati on and couldn't find any reference to system.webmodules either. Maybe I'm missing something.
Thanks again in advance.

blowdart August 5th, 2010 01:19 AM

If you're using IIS7 it will be at the bottom of the web.config.

You might want to pick up the latest code from http://anticsrf.codeplex.com/

If you're using IIS6 then it doesn't exist/get used; use the older style in system.web. In either case you'll see example ones in the web.config created by VW


All times are GMT -4. The time now is 05:23 PM.

Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
2013 John Wiley & Sons, Inc.