howto implement Synchronizer Token Pattern in classic asp

后端 未结 2 1172
一向
一向 2021-01-14 09:00

to prevent CSRF I want to implement the Synchronizer Token Pattern in my classic asp application.

I understand that iIshould generate a token in session_onstart. Wh

相关标签:
2条回答
  • 2021-01-14 09:18

    You could use a GUID as token:-

    Function GetGUID()
    
        GetGUID = CreateObject("Scriptlet.TypeLib").GUID 
    
    End Function
    
    0 讨论(0)
  • 2021-01-14 09:25

    I know the question has already been marked as Answered, but I found this post helpful (doesn't really answer your question), particularly the second response which references Chris Shiflett's article explaining CSRF and a simple solution (answers your question plus some).

    Here is how you might convert Chris's PHP to VBScript:

    Dim token
    token = md5(GetGUID())
    Session("token")=token
    Session("token_time")=Time() ' if you want to allow for a small window of time
    
    ' checks to make sure the request method is truly a post-back
    If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
        ' Prevent CSRF (Cross-Site Request Forgeries) by comparing request-generated tokens. See http://shiflett.org/articles/cross-site-request-forgeries
        If Request.Form("token") = Session("token") Then
            ' Request is a post-back and is not a CSRF  
        End If
    End If
    

    You can have a look at the md5() function (used to hash the GUID) here. The md5 hash isn't necessary, but does add another layer of uniqueness and security.

    0 讨论(0)
提交回复
热议问题