0

How to prevent replay attacks or multiple postbacks using Nonce Key in MVC 2.0

I am looking for a low level implementaion solution for this. It does not have to be a complete one, but any examples of having used Nonce keys for this purpose in an action filter would be welcomed.

The idea is to stop multiple form submissions by user via multiple button press or enter key hits. I allready have a JavaScript solution for this but I am looking for a generic server side option now.

My Question is based on the solution offered here: What methods are available to stop multiple postbacks of a form in ASP.NET MVC?

Community
  • 1
  • 1
Max
  • 163
  • 2
  • 7

1 Answers1

0

You could store a unique key (Guid perhaps) that is stored in the users session and refreshes every time every page is loaded.

The guid should be included in every form (perhaps a hidden form field) and compared against each time.

This does have the downside if the user has more than one window open.

A possible implementation (however it's meant for AntiCSRF - but could pose useful) is HtmlHelper.AntiForgeryToken Method and ValidateAntiForgeryTokenAttribute

Alex KeySmith
  • 16,657
  • 11
  • 74
  • 152
  • Thanks for the suggestion, but I'm looking for the implementation code of the solution as described on the mentioned post, not the actual logic. – Max May 23 '11 at 16:10
  • No worries @Sammy K, whoops I didn't look at the link first. Looks like my answer is pretty much the same - I didn't realise it's called nounce keys. You may want to look into "Anti Cross Site Request Forgery", it's a security mechanism but it could have the side effect of stopping double form submissions. I believe there is some AntiCSRF techniques built into MVC3 http://msdn.microsoft.com/en-us/library/dd470175.aspx – Alex KeySmith May 24 '11 at 08:06