-
-
Save tekguy/2b132a4a455ae3ac8378 to your computer and use it in GitHub Desktop.
Anti Forgery token class for classic asp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<% | |
' Use with a very short session (basically the page lifecycle, GET then POST) | |
Class AntiForgeryValidator | |
Private m_securityToken | |
Sub SetCookie() | |
m_securityToken = CreateWindowsGuid() | |
Response.Cookies("RequestVerificationToken") = m_securityToken | |
Response.Cookies("RequestVerificationToken").Secure = True | |
Response.AddHeader "X-Frame-Options", "SAMEORIGIN" | |
End Sub | |
Function GetCookie() | |
m_securityToken = Request.Cookies("RequestVerificationToken") | |
GetCookie = m_securityToken | |
End Function | |
Function CreateWindowsGuid() | |
CreateWindowsGuid = CreateGuid(8) & "-" & _ | |
CreateGuid(4) & "-" & _ | |
CreateGuid(4) & "-" & _ | |
CreateGuid(4) & "-" & _ | |
CreateGuid(12) | |
End Function | |
Function CreateGuid(length) | |
' VbScript keywords, Randomize is a sub, and Timer is a function. | |
Randomize Timer | |
Dim counter | |
Dim guid | |
Const Valid = "0123456789ABCDEF" | |
For counter = 1 To length | |
guid = guid & Mid(Valid, Int(Rnd(1) * Len(Valid)) + 1, 1) | |
Next | |
CreateGuid = guid | |
End Function | |
Function GetFormInputElement | |
GetFormInputElement = "<input name=""RequestVerificationToken"" type=""hidden"" " &_ | |
" value=""" & m_securityToken & """ />" | |
End Function | |
Function Validate | |
Dim formValue | |
formValue = Request.Form("RequestVerificationToken") | |
Dim cookieValue | |
cookieValue = GetCookie() | |
Response.Write "cookieValue = " & cookieValue & vbCrLf | |
Response.Write "formValue = " & formValue & vbCrLf | |
Validate = (cookieValue = formValue and Len(cookieValue) > 0) | |
End Function | |
End Class | |
Dim vv | |
Set vv = new AntiForgeryValidator | |
'vv.SetCookie | |
Response.Write vv.GetCookie() & VbCrLf | |
Response.Write vv.GetFormInputElement() & vbCrLf | |
Response.Write vv.Validate() & vbCrLf | |
%> | |
<form action="AntiForgery.asp" method="POST"> | |
<%=vv.GetFormInputElement() %> | |
<input type="submit" value="click" /> | |
</form> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment