问题
to prevent CSRF I want to implement the Synchronizer Token Pattern in my classic asp application.
I understand that iIshould generate a token in session_onstart. What I do not get is how to generate such a token as it should be random and unique. So a simple Rnd() and randomize will not work, right?
Furthermore should it be hashed in any way? How?
Thanks for any hints...
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
回答1:
You could use a GUID as token:-
Function GetGUID()
GetGUID = CreateObject("Scriptlet.TypeLib").GUID
End Function
回答2:
I know the question has already been marked as Answered, but I found this post helpful (doesn't really answer your question), particularly the second response which references Chris Shiflett's article explaining CSRF and a simple solution (answers your question plus some).
Here is how you might convert Chris's PHP to VBScript:
Dim token
token = md5(GetGUID())
Session("token")=token
Session("token_time")=Time() ' if you want to allow for a small window of time
' checks to make sure the request method is truly a post-back
If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
' Prevent CSRF (Cross-Site Request Forgeries) by comparing request-generated tokens. See http://shiflett.org/articles/cross-site-request-forgeries
If Request.Form("token") = Session("token") Then
' Request is a post-back and is not a CSRF
End If
End If
You can have a look at the md5() function (used to hash the GUID) here. The md5 hash isn't necessary, but does add another layer of uniqueness and security.
来源:https://stackoverflow.com/questions/6421417/howto-implement-synchronizer-token-pattern-in-classic-asp