|
-
 Preventing CSRF in ASP
Guys,
I have an classic asp page which has a form submitting to itself. I have to prevent CSRF in the page. So, I went
with using a hidden random variable in the form and a session variable to store it. Here is similar code.
This works fine unless user clicks back button.If back button is clicked, Somehow the session and form value
don't match for first time (clicking on Add button). Next Clicking on Add works fine.
Please help me. I got Stuck here.
Any knowledge regarding session and back button is appreciated.
mypage.asp
------------
<html>
<body>
<%
if(request.form("add")="true") then
'here is the anti-csrf check
if(Int(session.Contents("uid"))=Int(request.form("uid"))) then
'Do some Critical DB operations
end if
end if
%>
<%
randomize
uid=rnd*10000+rnd*9
session("uid")=uid
%>
<form name="f1" action="mypage.asp" method="POST">
<input type="text" name="name"/>
<input type="hidden" name="add" value="true"/>
<input type="hidden" name="uid" value="<%=uid%>"/>
</form>
</body>
</html>
-
Life is too short to be serious, laugh it up.
Similar Threads
-
By andwan0 in forum ASP.NET
Replies: 1
Last Post: 09-03-2009, 05:23 PM
-
By Emad Ramadan in forum ASP.NET
Replies: 4
Last Post: 09-30-2008, 07:12 AM
-
By Iain Munro in forum ASP.NET
Replies: 0
Last Post: 02-22-2002, 08:44 AM
-
By Keith Franklin, MCSD in forum Talk to the Editors
Replies: 18
Last Post: 09-27-2000, 11:48 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Development Centers
-- Android Development Center
-- Cloud Development Project Center
-- HTML5 Development Center
-- Windows Mobile Development Center
|
Reply With Quote
