AntiCSRF in VB?

nthoeming · October 10th, 2012, 02:50 PM

I'm attempting to reproduce the AntiCSRF class from Chapter 4 in VB and my skill level is less than stellar.

In particular, I'm running into issues adding the

Code:

page.PreRender += PagePreRender;

line from the PreRequestHandlerExecute method.

Does this module exist in VB anywhere?
If not, can you push me in the right direction?
Thanks

My work-in-progress code:

Code:

Imports System
Imports System.Collections.Generic
Imports System.Linq
Imports System.Text
Imports System.Web
Imports System.Web.UI
Imports System.Globalization


Public Class AntiCSRF
    Implements IHttpModule

#Region "IHttpModule Members"
    Public Sub Dispose() Implements System.Web.IHttpModule.Dispose

    End Sub

    Public Sub Init(context As System.Web.HttpApplication) Implements System.Web.IHttpModule.Init
        AddHandler context.PreSendRequestHeaders, AddressOf AntiCSRF.PreSendRequestHeaders
        AddHandler context.PreRequestHandlerExecute, AddressOf AntiCSRF.PreRequestHandlerExecute
    End Sub
#End Region
    Private Shared Sub PreSendRequestHeaders(ByVal source As Object, ByVal args As EventArgs)
        
    End Sub
    Private Shared Sub PreRequestHandlerExecute(ByVal source As Object, ByVal args As EventArgs)
        Dim application As HttpApplication = CType(source, HttpApplication)
        Dim context As HttpContext = application.Context
        If (Not (context.Handler) Is Nothing) Then
            Dim page As Page = context.Handler
            If (Not (page) Is Nothing) Then

            End If
        End If
    End Sub
    Private Shared Sub PagePreRender(ByVal source As Object, ByVal eventArgs As EventArgs)
        Dim page As Page = CType(source, Page)
        If ((Not (page) Is Nothing) _
                    AndAlso (Not (page.Form) Is Nothing)) Then
            Dim csrfToken As String
            Dim context As HttpContext = HttpContext.Current
            If ((context.Request Is Nothing) _
                        OrElse ((context.Request.Cookies Is Nothing) _
                        OrElse ((context.Request.Cookies("__CSRFCOOKIE") Is Nothing) _
                        OrElse String.IsNullOrEmpty(context.Request.Cookies("__CSRFCOOKIE").Value)))) Then
                csrfToken = Guid.NewGuid.ToString("D", CultureInfo.InvariantCulture)
            Else
                csrfToken = page.Request.Cookies("__CSRFCOOKIE").Value
            End If
            Dim stateFormatter As ObjectStateFormatter = New ObjectStateFormatter
            page.ClientScript.RegisterHiddenField("__CSRFTOKEN", stateFormatter.Serialize(csrfToken))
        End If
    End Sub
End Class

philip_cole · October 12th, 2012, 10:28 AM

Hi nthoeming,

I haven't code the code for that snippet, but is that not just registering the event handler for PreRender, in the same way as the PreSendRequestHeaders handler is being set in Init?

In which case you shopuld just be able to do

Code:

AddHandler page.PreRender, AddressOf PagePreRender

HTH
Phil

nthoeming · October 12th, 2012, 03:33 PM

Thanks, so far, so good...