3

Is there a better way other than the Anti Forgery Token like built-in functionalities in asp.net mvc2. I would like to code my own http module to avoid CSRF.

Also to my understanding the Antiforgerytoken does not generate any cookies. Is the "double-submitted cookie" a good method?

Any best practices or suggestions.

--edit : This link is useful: Stackoverflow previous question

Community
  • 1
  • 1
Saravanan
  • 7,637
  • 5
  • 41
  • 72
  • I need some of the other better ways that can evade cookie stealing and other formats. I also donot use captcha, a better alternative though.. I want to handle this issue from the IIS levels... – Saravanan Aug 01 '11 at 03:24
  • Maybe explain why you need to handle it at the IIS level. I say that because using the AntiForgeryToken would be considered the best practice. And yes, it does produce a cookie... that's how it all works. This blog post has a good explaination on how it all works. http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/ – Charlino Aug 01 '11 at 03:46
  • @Charlino: Basically my solution will be a library and that has to take care of avoiding CSRF. I will have no UI and want the user of my library to forget about CSRF as i handle it from my library. I have too tested antiforgerytoken and works fine, but am in need of a serverside solution. – Saravanan Aug 01 '11 at 04:13
  • The OWASP CSRFGuard for .NET would be worth a look. https://www.owasp.org/index.php/.Net_CSRF_Guard – nekno Aug 02 '11 at 23:01

1 Answers1

1

This library looks similar to what you are writing. http://anticsrf.codeplex.com/ It uses a cookie for a token. I've used it and it helped my project pass a security review.

maddoxej
  • 1,662
  • 13
  • 19