我正在寻找一个抽象基类或母版页解决方案,以防止任何人同时使用令牌和 ttl 进行 XSRF。谁能指出我正确的方向?
编辑:理想的解决方案将利用默认会员提供者发送给客户端的 cookie。
您可以在母版页上放置一个隐藏字段,在母版页的 Page_Load 事件期间生成一个密钥,将密钥分配为隐藏字段的值,然后将该值添加到您的 cookie。然后你只需比较这些值。
我启动了一个母版页可以继承的基类。我选择使用视图状态而不是隐藏输入,因为使用这种方法我不需要担心页面/等上的多个表单。与简单的“查看源代码”相比,找到这个值也需要更多的工作
以下是我试图纠正的一些问题。
当我刷新页面(不是回发)时,视图状态和隐藏输入(当我开始这种方法时)值不会像 cookie 那样更新
当我导航到我的应用程序内的新页面时,新页面在没有有效视图状态的情况下开始,因此我的比较在这种情况下失败......
以下是我正在进行的工作;)
public class PreventXSRF : MasterPage
{
HttpCookie mCookie = null;
FormsAuthenticationTicket mPreviousAuthenticationTicket = null;
FormsAuthenticationTicket mNewAuthenticationTicket = null;
public bool IsXSRF()
{
if ((Request.Cookies(".ASPXAUTH") != null)) {
mCookie = Request.Cookies(".ASPXAUTH");
//get the current auth ticket so we can verify the token (userData) matches the value of the hidden input
mPreviousAuthenticationTicket = FormsAuthentication.Decrypt(mCookie.Value);
}
else {
///'the membership cookie does not exist so this is not an authenticated user
return true;
}
//** ** **
// verify the cookie value matches the viewstate value
// if it does then verify the ttl is valid
//** ** **
if ((mPreviousAuthenticationTicket != null)) {
if (mPreviousAuthenticationTicket.UserData == Token) {
if ((TTL != null)) {
if (Convert.ToDateTime(TTL).AddMinutes(5) < DateTime.Now()) {
///'the ttl has expired so this is not a valid form submit
return true;
}
}
else {
//** ** **
// ?? what about a hack that could exploit this when a user tries to BF
// a value for the token and simply keeps the viewstate for ttl null ??
//** ** **
}
}
else {
//** ** **
// ?? I hit this when I navigate to another page in the app (GET)
// in this event, it was hit because the cookie has a valid token
// but the page is new so viewstate is not valid ... ??
//** ** **
///'the cookie value does not match the form so this is not a valid form submit
return true;
}
}
else {
///'the authentication ticket does not exist so this is not a valid form submit
return true;
}
//** ** **
// if the code gets this far the form submit is 99.9% valid, so now we gen a new token
// and set this new value on the auth cookie and reset the viewstate value
// so it matches the cookie
//** ** **
//gen a new ttl and set the viewstate value
TTL = GenerateTTL();
//gen a new token and set the viewstate value
Token = GenerateToken();
if ((mPreviousAuthenticationTicket != null)) {
//** ** **
// create a new authticket using the current values + a custom token
// we are forced to do this because the current cookie is read-only
// ** ** **
mNewAuthenticationTicket = new FormsAuthenticationTicket(mPreviousAuthenticationTicket.Version, mPreviousAuthenticationTicket.Name, mPreviousAuthenticationTicket.IssueDate, mPreviousAuthenticationTicket.Expiration, mPreviousAuthenticationTicket.IsPersistent, Token);
}
else {
///'TODO: if no auth ticket exists we need to return as this won't be valid
}
if ((mCookie != null)) {
//** ** **
// take the new auth ticket with the userdata set to the new token value
// encrypt this, update the cookie, and finally apply this to the users machine
//** ** **
mCookie.Value = FormsAuthentication.Encrypt(mNewAuthenticationTicket);
Response.Cookies.Add(mCookie);
}
else {
///'TODO: if no cookie exists we need to return as this won't be valid
}
//if we got this far without a return true, it must not be a xsrf exploit so return false
return false;
}
private string GenerateToken()
{
RNGCryptoServiceProvider random = new RNGCryptoServiceProvider();
byte[] randBytes = new byte[32];
random.GetNonZeroBytes(randBytes);
return Convert.ToBase64String(randBytes);
}
private string GenerateTTL()
{
return DateTime.Now();
}
private string TTL {
get { return ViewState("TTL"); }
set { ViewState("TTL") = value; }
}
private string Token {
get { return ViewState("Token"); }
set { ViewState("Token") = value; }
}
}