This project is read-only.

Prevent Cross Site Request Forgery in ASP.NET

Jun 16, 2011 at 3:38 AM

Hi guys,

hope some of you could help out regarding the discussion.

Based on the https://developers.facebook.com/docs/authentication/ article, it says that on the server side, it is highly recommended to implement a CSRF protection.

How do I do that? I'm not familiar with the php codes and don't really understand the sample on that article.

Also, another question is whether does the method RedirectToFacebookAuthorization() from FGT SDK already came with the CSRF protection?

Sep 11, 2011 at 9:30 PM

Since no one else has responded, I'll take a stab at this. I wouldn't expect FGT to include CSRF protection. That's outside the scope of a SDK like this.  CSRF is an attack against your app. It's defended in your code on the server side. FGT is a client to Facebook, so Facebook needs to defend themselves against CSRF by malicious clients, and I'm sure they do.

See : http://en.wikipedia.org/wiki/Cross-site_request_forgery

On that page is a section called Prevention which has some tips.  By using a unique Session token and/or cookie value, you can prevent CSRF. Refresh cookies frequently and invalidate them with a short timeout. and of course, check for current and valid tokens on every request. Also check the HTTP Referrer header value, though as indicated in the wiki this can be forged, but chances are low that a typical CSRF attack will be that sophisticated. Caution, the referrer may be different on initial Page_Load than from Ajax postbacks, so this specific defense mechanism should be tested rigorously in your specific environment.

HTH