Best IT Recipes

Antivirus token on login page

I have implemented the antiforgery token on my login page.

Now I had one user who pressed a key on the keyboard, and when they press the login button again after filling in their credentials, they get an error page.

Is there a better way to refer this case, for example, redirect them to a new login page?

The page that is the login page: / account / logon

If the login data is quite successful, the user is redirected to: Home / Index on which the user clicked the back button.

+18
c # asp.net-mvc-3 antiforgerytoken
Feb 24 2018-12-12T00:
source share
4 answers

My solution was as follows:

Reload the page if it returns to the login page. this will ensure fresh loading of the anti-friction token

and everything is done

+5
Apr 05 2018-12-12T00:
source share

Do not use ASP.NET AntiForgeryToken on your login page. The token is based on the username among other criteria, and the login page assumes that the attacker already has credentials for the system to be able to use csrf on this page.

However, on the login page you should use some form of CSRF protection - see https://security.stackexchange.com/a/2126/51772

+20
Feb 24 2018-12-12T00:
source share

I wrote a complete solution here: https://richardcooke.info/en/2014/keep-users-signed-in-after-asp-net-deploy/

Here is the necessary code to invoke the form of your GET method in your controller:

private void SetANewRequestVerificationTokenManuallyInCookieAndOnTheForm() { if (Response == null) return; string cookieToken, formToken; AntiForgery.GetTokens(null, out cookieToken, out formToken); SetCookie("__RequestVerificationToken", cookieToken); ViewBag.FormToken = formToken; } private void SetCookie(string name, string value) { if (Response.Cookies.AllKeys.Contains(name)) Response.Cookies[name].Value = value; else Response.Cookies.Add(new HttpCookie(name, value)); }

and code for the view instead of Html.AntiForgeryToken ():

 @if (ViewBag.FormToken != null) { <text><input name="__RequestVerificationToken" type="hidden" value="@ViewBag.FormToken" /></text> } else { <text>@Html.AntiForgeryToken()</text> }
+7
Nov 19 '14 at 12:40
source share

Instead of checking User.Identity.IsAuthenticated, like some of the other posts mentioned, I used my own attribute to handle exceptions and redirect the user to the home page if it is an HttpAntiForgeryToken

I believe that this avoids any potential security issues when using other methods, and that [ValidateAntiForgeryToken] should always be used in POST methods

 public override void OnException(ExceptionContext filterContext) { var controllerName = (string)filterContext.RouteData.Values["controller"]; var actionName = (string)filterContext.RouteData.Values["action"]; var model = new HandleErrorInfo(filterContext.Exception, controllerName, actionName); if (filterContext.Exception is HttpAntiForgeryException) { filterContext.Result = new RedirectToRouteResult( new RouteValueDictionary { { "action", "Index" }, { "controller", "Home" } }); filterContext.ExceptionHandled = true; } }
0
Apr 29 '19 at 21:57
source share


More articles:


All Articles