to prevent CSRF I want to implement the Synchronizer Token Pattern in my classic asp application.
I understand that iIshould generate a token in session_onstart. Wh
You could use a GUID as token:-
Function GetGUID()
GetGUID = CreateObject("Scriptlet.TypeLib").GUID
End Function
I know the question has already been marked as Answered, but I found this post helpful (doesn't really answer your question), particularly the second response which references Chris Shiflett's article explaining CSRF and a simple solution (answers your question plus some).
Here is how you might convert Chris's PHP to VBScript:
Dim token
token = md5(GetGUID())
Session("token")=token
Session("token_time")=Time() ' if you want to allow for a small window of time
' checks to make sure the request method is truly a post-back
If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
' Prevent CSRF (Cross-Site Request Forgeries) by comparing request-generated tokens. See http://shiflett.org/articles/cross-site-request-forgeries
If Request.Form("token") = Session("token") Then
' Request is a post-back and is not a CSRF
End If
End If
You can have a look at the md5()
function (used to hash the GUID) here. The md5
hash isn't necessary, but does add another layer of uniqueness and security.