Generating AntiForgeryToken in WebForms

asp.net-mvc xss
Naz picture Naz · Aug 24, 2009 · Viewed 22.5k times · Source

I have a .NET Webforms site thanks needs to post to my MVC Application which currently sits inside the Webform site as a separate application.

The Webform application need to POST some sensitive values to the MVC Application.

Is there a way to generate a AntiForgeryToken() in my WebForms Application so it can be passed with the form post.

Otherwise does anyone know of any other custom anti forgery code that will allow me to do something similar to the MVC's AntiForgeryValidation.

Answer

Ian Ippolito picture Ian Ippolito · Jun 5, 2013

This is an old question, but the latest Visual Studio 2012 ASP.NET template for web forms includes anti CSRF code baked into the master page. If you don't have the templates, here's the code it generates:

Protected Sub Page_Init(sender As Object, e As System.EventArgs)


    ' The code below helps to protect against XSRF attacks
    Dim requestCookie As HttpCookie = Request.Cookies(AntiXsrfTokenKey)
    Dim requestCookieGuidValue As Guid
    If ((Not requestCookie Is Nothing) AndAlso Guid.TryParse(requestCookie.Value, requestCookieGuidValue)) Then
        ' Use the Anti-XSRF token from the cookie
        _antiXsrfTokenValue = requestCookie.Value
        Page.ViewStateUserKey = _antiXsrfTokenValue
    Else
        ' Generate a new Anti-XSRF token and save to the cookie
        _antiXsrfTokenValue = Guid.NewGuid().ToString("N")
        Page.ViewStateUserKey = _antiXsrfTokenValue

        Dim responseCookie As HttpCookie = New HttpCookie(AntiXsrfTokenKey) With {.HttpOnly = True, .Value = _antiXsrfTokenValue}
        If (FormsAuthentication.RequireSSL And Request.IsSecureConnection) Then
            responseCookie.Secure = True
        End If
        Response.Cookies.Set(responseCookie)
    End If

    AddHandler Page.PreLoad, AddressOf master_Page_PreLoad
End Sub

Private Sub master_Page_PreLoad(sender As Object, e As System.EventArgs)


    If (Not IsPostBack) Then
        ' Set Anti-XSRF token
        ViewState(AntiXsrfTokenKey) = Page.ViewStateUserKey
        ViewState(AntiXsrfUserNameKey) = If(Context.User.Identity.Name, String.Empty)
    Else
        ' Validate the Anti-XSRF token
        If (Not DirectCast(ViewState(AntiXsrfTokenKey), String) = _antiXsrfTokenValue _
            Or Not DirectCast(ViewState(AntiXsrfUserNameKey), String) = If(Context.User.Identity.Name, String.Empty)) Then
            Throw New InvalidOperationException("Validation of Anti-XSRF token failed.")
        End If
    End If
End Sub

Related questions

How to save HTML to database and retrieve it properly

Learning security these days :) I need to allow users to enter text in a form and allow them some HTML tags: bold, italic, list etc. and to prevent them to add some dangerous JavaScript code. So I have used this …

Read More
How do you avoid XSS vulnerabilities in ASP.Net (MVC)?

I recently noticed that I had a big hole in my application because I had done something like: <input type="text" value="<%= value%>" /> I know that I should have used Html.Encode, but is there any …

Read More
How to use Microsoft AntiXss 4.x?

I want to use the new version of the AntiXss library from Microsoft. I downloaded it from the Nuget package but I'm not sure where should I go from here. No documentation is provided for the library and all the …

Read More