2

I have found issue with requireSSL="true" property in unsecured server (without SSL) in web.config code line in UAT - <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />.

For CSRF (Cross Site Request Forgery) fix, we are using:

var requestCookie = Request.Cookies[AntiXsrfTokenKey];

We cannot read secure cookie from unsecure server. So requireSSL property should be false in web.config for unsecure server.

If we make requireSSL="false" CSRF fix works fine but all cookie becomes unsecure which generate other issue [Missing Secure Attribute in Encrypted Session (SSL) Cookie].

We have also attached CSRF fix code in which function PreventCSRF() is being called by OnInit(EventArgs e) event in Default.aspx.cs page.

In local we don’t have SSL, requireSSL="false" is working fine with CSRF fix but not for [Missing Secure Attribute in Encrypted Session (SSL) Cookie]. So fix for both CSRF and [Missing Secure Attribute in Encrypted Session (SSL) Cookie] issues depend on each other.

There are 2 Queries-

  1. As in UAT, SSL is managed in load balancer level, IIS boxes do not have SSL certs installed in them. Can we read secure cookie using Request.Cookies[AntiXsrfTokenKey]?

  2. If we do requireSSL="false" then CSRF fix works fine but all cookie becomes unsecure means [Missing Secure Attribute in Encrypted Session (SSL) Cookie] issue persist for all cookies.

4

1 に答える 1

0

これはあなたの質問に対する答えではないかもしれませんが、私たちが試すことができるものは次のとおりです。

CSRF トークンを最大限に活用するには、Request.Headers で渡すことができます。ヘッダーを使用してトークンを転送することは、安全な方法だと思います。

Default.aspx の OnInit は問題ありませんが、間に httpmodule がある場合は、AcquireRequestState() メソッドを試して HttpContext.Current.Request.Headers["CSRFToken"] を取得し、そのトークンの 1 つのコピーをセッションに保持して検証することができます (場合によっては、検証する他のロジックがあるかどうか)

于 2015-12-04T09:20:26.727 に答える