Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Anti forgery token on login page

Tags:

I have implemented antiforgery token on my login page.

Now I had one user pressing back key on the keyboard, and when they click on login button again after filling their credentials, they get error page.

Is there some better way of handeling this case like redirect them to fresh login page?

Page that is login page is :/account/logon

If login details are sucessfull the user is redirected to :Home/Index page on which the user pressed button back.

like image 552
cpoDesign Avatar asked Feb 24 '12 15:02

cpoDesign

People also ask

When should I use anti-forgery token?

To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.

What is validate anti-forgery token?

The basic purpose of ValidateAntiForgeryToken attribute is to prevent cross-site request forgery attacks. A cross-site request forgery is an attack in which a harmful script element, malicious command, or code is sent from the browser of a trusted user.

What is AntiForgeryToken in web API?

Adding an AntiForgeryToken generates a Cryptographically valid hash at the server end which is split and a part is added as a hidden field, whereas the rest goes into a cookie. When data is posted, the Cookie and the Hidden Field are both sent back and if they are missing or they don't match, the POST is rejected.

2 Answers

Don't implement the ASP.NET AntiForgeryToken on your login page. The token is based on a username among other criteria and a login page assume the attacker already has credentials to a system in order to be able to exploit csrf on that page.

However, you should use some form of CSRF protection on your login page - see https://security.stackexchange.com/a/2126/51772

like image 156
Adam Tuliper Avatar answered Sep 28 '22 05:09

Adam Tuliper

I've written up a full solution here: https://richardcooke.info/en/2014/keep-users-signed-in-after-asp-net-deploy/

Here's the necessary code to call in your controller form your GET method:

private void SetANewRequestVerificationTokenManuallyInCookieAndOnTheForm()
{
    if (Response == null)
        return;

    string cookieToken, formToken;
    AntiForgery.GetTokens(null, out cookieToken, out formToken); 
    SetCookie("__RequestVerificationToken", cookieToken);
    ViewBag.FormToken = formToken;
}

private void SetCookie(string name, string value)
{
   if (Response.Cookies.AllKeys.Contains(name))
       Response.Cookies[name].Value = value;
   else
       Response.Cookies.Add(new HttpCookie(name, value));
}

and code to put in your view in place of Html.AntiForgeryToken():

@if (ViewBag.FormToken != null)
{
    <text><input name="__RequestVerificationToken" type="hidden" value="@ViewBag.FormToken" /></text>
}
else
{
    <text>@Html.AntiForgeryToken()</text>
}
like image 39
Richard Avatar answered Sep 28 '22 04:09

Richard
Sign in to Comment

Related questions

How to create 0x0 Numpy array?
Force calling base class virtual function
unique_ptr compile error
Nested embeddable - AttributeOverride for embeddable within embeddable
Set socket timeout in Ruby via SO_RCVTIMEO socket option
Bezier curve and canvas
How to save passwords in PL/SQL Developer?
How do you use the .off() event method in leaflet.js?
Matplotlib: Add strings as custom x-ticks but also keep existing (numeric) tick labels? Alternatives to matplotlib.pyplot.annotate?
Android smooth game loop
Where does application data file actually stored on android device?
Output a vector in R in the same format used for inputting it into R

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!