-
 Preventing CSRF in ASP
Guys,
I have an classic asp page which has a form submitting to itself. I have to prevent CSRF in the page. So, I went
with using a hidden random variable in the form and a session variable to store it. Here is similar code.
This works fine unless user clicks back button.If back button is clicked, Somehow the session and form value
don't match for first time (clicking on Add button). Next Clicking on Add works fine.
Please help me. I got Stuck here.
Any knowledge regarding session and back button is appreciated.
mypage.asp
------------
<html>
<body>
<%
if(request.form("add")="true") then
'here is the anti-csrf check
if(Int(session.Contents("uid"))=Int(request.form("uid"))) then
'Do some Critical DB operations
end if
end if
%>
<%
randomize
uid=rnd*10000+rnd*9
session("uid")=uid
%>
<form name="f1" action="mypage.asp" method="POST">
<input type="text" name="name"/>
<input type="hidden" name="add" value="true"/>
<input type="hidden" name="uid" value="<%=uid%>"/>
</form>
</body>
</html>
-
Life is too short to be serious, laugh it up.
Similar Threads
-
By andwan0 in forum ASP.NET
Replies: 1
Last Post: 09-03-2009, 05:23 PM
-
By Emad Ramadan in forum ASP.NET
Replies: 4
Last Post: 09-30-2008, 07:12 AM
-
By Iain Munro in forum ASP.NET
Replies: 0
Last Post: 02-22-2002, 07:44 AM
-
By Keith Franklin, MCSD in forum Talk to the Editors
Replies: 18
Last Post: 09-27-2000, 11:48 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Forum Rules
|
Top DevX Stories
Easy Web Services with SQL Server 2005 HTTP Endpoints
JavaOne 2005: Java Platform Roadmap Focuses on Ease of Development, Sun Focuses on the "Free" in F.O.S.S.
Wed Yourself to UML with the Power of Associations
Microsoft to Add AJAX Capabilities to ASP.NET
IBM's Cloudscape Versus MySQL
|
Reply With Quote
Bookmarks