|
#1
08-14-2009, 10:41 AM
|
|||
|
|||
Preventing CSRF in ASP
Guys,
I have an classic asp page which has a form submitting to itself. I have to prevent CSRF in the page. So, I went with using a hidden random variable in the form and a session variable to store it. Here is similar code. This works fine unless user clicks back button.If back button is clicked, Somehow the session and form value don't match for first time (clicking on Add button). Next Clicking on Add works fine. Please help me. I got Stuck here. Any knowledge regarding session and back button is appreciated. mypage.asp ------------ <html> <body> <% if(request.form("add")="true") then 'here is the anti-csrf check if(Int(session.Contents("uid"))=Int(request.form("uid"))) then 'Do some Critical DB operations end if end if %> <% randomize uid=rnd*10000+rnd*9 session("uid")=uid %> <form name="f1" action="mypage.asp" method="POST"> <input type="text" name="name"/> <input type="hidden" name="add" value="true"/> <input type="hidden" name="uid" value="<%=uid%>"/> </form> </body> </html> 
|
 |
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
Linear Mode
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| How to debug classic ASP pages during AJAX calls in ASP.NET website | andwan0 | ASP.NET | 1 | 09-03-2009 06:23 PM |
| convert my asp pages to asp.net | Emad Ramadan | ASP.NET | 4 | 09-30-2008 08:12 AM |
| Calling ASP web service from ASP page authorization | Iain Munro | ASP.NET | 0 | 02-22-2002 08:44 AM |
| Re: Bitten by the ASP | Keith Franklin, MCSD | Talk to the Editors | 18 | 09-27-2000 12:48 PM |
All times are GMT -4. The time now is 11:28 PM.