Last active
October 18, 2016 02:07
-
-
Save foontzoot/da4a9878eef979bb8c0eddb2121bae53 to your computer and use it in GitHub Desktop.
Helps to protect against XSRF attacks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public partial class HuntGroup : System.Web.UI.MasterPage | |
{ | |
private const string AntiXsrfTokenKey = "__AntiXsrfToken"; | |
private const string AntiXsrfUserNameKey = "__AntiXsrfUserName"; | |
private string _antiXsrfTokenValue; | |
protected void Page_Init(object sender, EventArgs e) | |
{ | |
// The code below helps to protect against XSRF attacks | |
var requestCookie = Request.Cookies[AntiXsrfTokenKey]; | |
Guid requestCookieGuidValue; | |
if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue)) | |
{ | |
// Use the Anti-XSRF token from the cookie | |
_antiXsrfTokenValue = requestCookie.Value; | |
Page.ViewStateUserKey = _antiXsrfTokenValue; | |
} | |
else | |
{ | |
// Generate a new Anti-XSRF token and save to the cookie | |
_antiXsrfTokenValue = Guid.NewGuid().ToString("N"); | |
Page.ViewStateUserKey = _antiXsrfTokenValue; | |
var responseCookie = new HttpCookie(AntiXsrfTokenKey) | |
{ | |
HttpOnly = true, | |
Value = _antiXsrfTokenValue | |
}; | |
if (FormsAuthentication.RequireSSL && Request.IsSecureConnection) | |
{ | |
responseCookie.Secure = true; | |
} | |
Response.Cookies.Set(responseCookie); | |
} | |
Page.PreLoad += master_Page_PreLoad; | |
} | |
protected void master_Page_PreLoad(object sender, EventArgs e) | |
{ | |
if (!IsPostBack) | |
{ | |
// Set Anti-XSRF token | |
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey; | |
ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty; | |
} | |
else | |
{ | |
// Validate the Anti-XSRF token | |
if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue | |
|| (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty)) | |
{ | |
throw new InvalidOperationException("Validation of Anti-XSRF token failed."); | |
} | |
} | |
} | |
protected void Page_Load(object sender, EventArgs e) | |
{ | |
if (!Page.IsPostBack) | |
{ | |
if (Session["Agent"] == null) | |
{ | |
lblLogOut.Text = "Logged Out"; | |
HyperLink logIn = new HyperLink(); | |
logIn.Text = "Log In"; | |
logIn.NavigateUrl = "~/Default.aspx"; | |
lblLogin.Controls.Add(logIn); | |
Response.Redirect("~/Default.aspx", false); | |
} | |
else | |
{ | |
Agent _user = new Agent(); | |
_user = (Agent)Session["Agent"]; | |
lblLogin.Text = "Logged in as: " + _user.UserName; | |
HyperLink logOut = new HyperLink(); | |
logOut.Text = "Log Out"; | |
logOut.NavigateUrl = "~/Logout.aspx"; | |
lblLogOut.Controls.Add(logOut); | |
if (_user.UserName != "support") | |
{ | |
Response.Redirect("~/Default.aspx", false); | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment