Viewstate user key & Double submit cookie

CSRF Attack protection to all pages that inherit from the site.master page.

1. All web form pages data modification use the site.master page.

2. Al request data modification use Viewstste.

3. Website must be free from XSS vulnerabilities.

By using Microsoft . Net Protection Library

private const string AntiXsrfTokenKey = "__AntiXsrfToken";

private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";

private string _antiXsrfTokenValue;

protected void Page_Init(object sender, EventArgs e)

{

// The code below helps to protect against XSRF attacks

var requestCookie = Request.Cookies[AntiXsrfTokenKey];

Guid requestCookieGuidValue;

if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))

{

// Use the Anti-XSRF token from the cookie

_antiXsrfTokenValue = requestCookie.Value;

Page.ViewStateUserKey = _antiXsrfTokenValue;

}

else

{

// Generate a new Anti-XSRF token and save to the cookie

_antiXsrfTokenValue = Guid.NewGuid().ToString("N");

Page.ViewStateUserKey = _antiXsrfTokenValue;

var responseCookie = new HttpCookie(AntiXsrfTokenKey)

{

HttpOnly = true,

Value = _antiXsrfTokenValue

};

if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)

{

responseCookie.Secure = true;

}

Response.Cookies.Set(responseCookie);

}

Page.PreLoad += master_Page_PreLoad;

}

Prashant Singh