I have an MVC 4.0 site that uses AntiForgeryTokens to protect against CSRF attacks.
What I am finding is that I can reuse an old __RequestVerificationToken after new sessions have been opened.
I start with adding to the .cshtml
#Html.AntiForgeryToken()
I then decorate the Post Action method in the controller with
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult DoSomething(MyViewModel model)
{
}
I then do the following :-
Log in to admin site and scrape the __RequestVerificationToken value.
Log Out
Log Back In again (in theory there should now be a new token created)
Then submit the form below in a new tab in the same browser (see that I have used the token from the previous request).
<html>
<body>
<form action="http://adminsite.com/DoAction" method="POST">
<input type="hidden" name="id" value="26" />
<input name="__RequestVerificationToken" type="hidden" value="rt95zr0voZbgLga117YNBfwwLpTU8onGCDmZ4IQEisvhiNH_9ISTtsbDzIVgIkRUzwH81PpbrTRGK4MLSp3S3j-JMNjsJTL04TRl2J38rNz8KKomL98gLjEiJoXgMXFt0qaJ8tPaB4_PvGo8ATaxLcA2" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
What I find is that even though I have logged out and back in again, I am still able to use the old __RequestVerificationToken and I can successfully post the form.
After reading through the documentation (http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages) there is no mention of invalidation of token.
My questions are :-
Shouldn't it now be invalid?
If not, why not?
Is there a way of making the __RequestVerificationToken invalid after logging out and back in again?
Related
I am implementing a search an sending a search form to an action. Everything is working as expected but the url after the submit isn't very friendly and contain undesirable information. It is showing the whole request query array as a query string. I have a form with a fieldset element named 'album-search'.
Here is the url I am getting right now:
http://hostname/music_organizer/public/albums/page/1?album-search[term]=art&csrf=12b6065ab7ea428f02ad36a9cc363752-d96a14c1c7f1f2961112014a1e200e03&search=Search
Here is the url i am want to get:
http://hostname/music_organizer/public/albums/page/1?term=art
I have tried to set the query string in the action like this:
public function searchAction(){
//code
$this->getRequest()->getQuery()->set('term', $term);
//code
return $viewModel;
}
but no luck,
Thanks in advance
I thought your current rendering form should be like this
<form method="get" action="...">
<input name="term">
<input type="hidden" name="csrf" value="...">
<input type="submit" name="" value="Search">
<form>
Remove Submit Button:
Don't specify the submit button name while creating it
Remove CSRF element
If you don't required csrf element in querystring then remove it from your view page. but this csrf tag is very useful to avoid cross-site request forgery attacks.
--SJ
In my web application I want to remove the username,password which are automatically stored by browser on click of remember me.
I know this is browser property but is there anyway to remove this on loading of my website and clearing all saved username,password of my website..
Thanks & Regards...
Best way I've found of doing it thusfar, is faking the browser into thinking there are multiple username/password fields on the form. The browser's save username/password generally look for the first password field and the field previous to it for the username, so I have added new fields to the page in a hidden div, outside of my form to resolve the problem
<div style="display:none;">
<input type="text" id="fake_username"/>
<input type="password" id="fake_password"/>
</div>
<form action="..." method="POST">
<input type="text" id="username"/>
<input type="password" id="password"/>
<input type="submit" value="Submit"/>
</form>
I also generally add the autocomplete="off" to my form and input elements, either directly or via a jquery script (below) on document.ready
$(document).ready(function() { $("input").attr("autocomplete", "off") });
I think this is not possible to remove saved passwords but you can prevent saving by
<form id="login" action="loginURL" method="post" autocomplete="off">
Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills the login fields with the stored values.
Additionally, the browser enables the user to choose a master password that the browser will use to encrypt stored login details.
Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.
For this reason, many modern browsers do not support autocomplete="off" for login fields:
If a site sets autocomplete="off" for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.
If a site sets autocomplete="off" for username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.
This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).
If an author would like to prevent the autofilling of password fields in user management pages where a user can specify a new password for someone other than themself, autocomplete="new-password" should be specified, though support for this has not been implemented in all browsers yet.
Try This,
<input type="hidden" id="hiddenUsername" name="username"/>
<input type="hidden" id="hiddenPassword" name="password"/>
<form id="theForm" action="/your/login" method="post" autocomplete="off">
<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>
<input type="submit" value="Login"/>
</form>
<script type="text/javascript" language="JavaScript">
$("#theForm").submit(function() {
$("#hiddenUsername").val($("#username").val());
$("#hiddenPassword").val($("#password").val());
});
</script>
Demo, Will work as you want(Note: just to check how it's working with hiddenfields)
I have the following form
<form id="file_upload" action="/Upload/Save" method="POST" enctype="multipart/form-data">
<input type="text" id="txtProposalName" name="name" placeholder="Nome da Camiseta" />
<input type="text" id="txtProposalDesc" name="description" placeholder="Descrição da Camiseta"/>
<div class="fileupload-buttonbar">
<div class="progressbar fileupload-progressbar"></div>
<span class="fileinput-button">
Upload images
<input type="file" name="files[]" multiple />
</span>
</div>
<input type="hidden" id="imgID" name="imgID"/>
<input type="submit" id="postProposal"/>
Would call this action:
[HttpPost]
public JsonResult Save(string name, string description, string imgID)
{
return Json("a");
}
(This is the current implementation, it has no logic because I am still testing some things).
My problem is: when I click on my submit button, the action is called with the correct values, but when it returns, my browser redirects to /Upload/Save (which is the action URL).
Why is this happening? Is there any way to prevent it?
Thanks!
You can use an asynchronous call to your method (e.g. AJAX) to prevent the page from reloading.
You can use Ajax.BeginForm to prevent reload page.
As I can see you use full page reload with:
action="/Upload/Save"
Also you trying to post data to json action method in controller. You need all form submit make with jquery, most problems you will find with ajax file uploaders.
Added:
Also look at serialize() it will help you to collect all form input values.
Dont need to prevent it, just redirect the user in your server code .
I need to open another site in new tab from code behind in Asp.net MVC.
return Redirect("Url"); is used to open the another site within the same tab.
It doesn't really seem practical for the users, because after authenticating in the second tab, they have to refresh the first tab to see the effects.
The ReturnUrl property of FormsAuthentication seems to do what you want. When the user needs to log in, they are redirected to the login page, and after signing in they are redirected back.
If you are making extensive use of javascript and ajax, and want to keep the javascript variables of the current page but need to log in to do the ajax calls, there might be another solution. If the response of your ajax call is the unauthenticated header, open a lightbox or something like that with a username and password field. Use ajax post to the AccountController to sign in the user again. This way, the user is authenticated again, but you keep the javascript variables.
This can be done using javascript only. Try this.
<%
Response.Write '<script type="text/javascript">
window.open(url);
</script>'
%>
Hope it works.
if you call action from form and use input type of submit you can try
<input type="submit" formtarget="_blank" />
if you use link <a> or AjaxCall you can try
<a target="_blank"></a> or in ajax helper set property #target="_blank"
here is my code
cshtml
#using (Html.BeginForm("PersonsReport", "Reports"))
{
<br />
<div style="text-align: center;">
<input type="submit" formtarget="_blank" class="btn btn-primary" value="GetReport" style="width:100%;" />
</div>
<br />
}
controller.cs
public ActionResult PersonsReport()
{
return Redirect("/PersonsReport.aspx");
}
When you start an ASP.NET MVC project in Visual Studio 2008, you get a fully loaded site template, including login forms and the like. In the default form to login, you will find this in the markup...
<%= Html.CheckBox("rememberMe") %>
When you view the source in the browser, you will see that this renders to...
<input id="rememberMe" name="rememberMe" type="checkbox" value="true" />
<input name="rememberMe" type="hidden" value="false" />
What is the purpose of this hidden field, and the default values? Is there a reason for this? Makes no sense to me.
This is the comment from the ASP.NET MVC source:
// Render an additional <input type="hidden".../> for checkboxes. This
// addresses scenarios where unchecked checkboxes are not sent in the request.
// Sending a hidden input makes it possible to know that the checkbox was present
// on the page when the request was submitted.
In short: unchecked checkboxes (values) are not sent in the request. If the checkbox is unchecked then the value from the hidden input will be send in the request.