CSRF Http Module


The CSRF module looks to reduce the chances of Cross-site request forgery exploits. It works like so...

How is the CSRF token created?

A token is created by hashing the userId with a random salt value. This token is then added into a hidden form field called CSRFTOKEN which is injected into the page by the CommerceServerContribCsrfMitigationModule via the CSRFPageFilterStream.

How is the token validated?

For the CSRF token to pass validation its value must match a hashed version of the userId. The userId is only available on the client side as an encrypted value in the user cookie.

What does the validation process look like?

During the PreRequestHandlerExecute event the CommerceServerContribCsrfMitigationModule checks the request to see if it should be inspected for CSRF. By default the conditions are that the page is under SSL and the request has been made by an authenticated user, there are other conditions but these are the main ones to be concerned about and you can change them if you wish.

If the request comes in from a page, the module makes sure that the HTTP Verb matches the action that is actually happening....After the validation a token will be created and injected into the page.

If the incoming request was not targeted at a page i.e. it is a AJAX call, and if the request was a POST then the request will be validated. The module will check the FORM for a field called CSRFTOKEN, if it is missing or empty the request will fail otherwise the token validation will proceed.

Last edited Dec 11, 2012 at 3:31 PM by cmcauliffe, version 7


No comments yet.