How to implement antoforgery token in global.asax? - asp.net

To prevent CSRF attack, its required to implement antiforgery token for asp.net website (not for MVC) in our project. We are not able to find it in google. Its better if we implement it in global.asax. Kindly help. Thanks in advance.

Which version of .net are you working with? Certain versions have it built into the Master page, otherwise if you need to see what it looks like in a webforms project you can check:
https://software-security.sans.org/developer-how-to/developer-guide-csrf

Related

login with microsoft api in asp net framework (webforms)

I've searched a lot but unfortionalitly I didn't find the correct answer for my case.
I need to add a button in my webform page to use it to login with microsoft account and after login I get a response which has a token and email (I'll use them then).
I need to do the normal approach to login with third party (authentication)
note:
I don't use identity in this project.
Most of the solutions I found belong to MVC but in this project I use webforms.
finally I found the solution
It suits to my case which I use webforms not MVC
( without identity )
https://learn.microsoft.com/en-us/graph/auth-v2-user
Well, if you going to use a whole new 100% different logon system, and a whole new 100% different authentication provider?
You have little choice - you have to add that authentication provider to that asp.net site. There really no other way around this.
You thus have to add owin to your existing application.
so you can setup a whole new authentication system for your web site. Certainly not for the fait of heart, and VERY MUCH BEYOND the scope of a simple question + answer site like SO.
But there are a good number of articles and step by step on this, such as:
https://tomasherceg.com/blog/post/modernizing-asp-net-web-forms-applications-part-2#:~:text=OWIN%20can%20be%20integrated%20with%20ASP.NET%20quite%20easily,combination%20with%20Web%20Forms%20pages%20%28or%20MVC%20controllers%29.
So, you at the end of the day really need to add identity authentication to your site.
https://learn.microsoft.com/en-us/aspnet/identity/overview/getting-started/adding-aspnet-identity-to-an-empty-or-existing-web-forms-project#:~:text=Select%20New%20Project%20from%20the%20Start%20page%2C%20or,New%20ASP.NET%20Project%20dialog%2C%20select%20the%20Empty%20template.

MVC 4 Web Api Security from C.S.R.F. Attacks

I am using asp.net mvc4 web api. I am using Form Authentication for security. I have asp form pages(.aspx) at client side. Is there any way to implement Antiforgery in this scenario. please describe i detail. I have done it in cshtml pages but found no any way to implement it in .aspx forms.
You might have found the solution for this, still adding reference to the page where you can find how to use CSRF prevention in ASP.Net
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

how to pass querystring in friendly url in asp.net web application

Hope this is the best place to put this question.
I am working on a web application.Where any user can check detail of other user by a link.
currently this is the link for test
http://www.contractgenies.com/Snapshotprofile.aspx?ViewRef=test09last099826
it is working fine but
Problem :
I want to show this as :
http://www.contractgenies.com/test09last099826
without query string or page name.
Is this possible or not please let me know.
You can use UrlRewriting mechanism to achieve this job.
URL Rewriting Module
If you are going to use ASP.Net MVC then use routing mechanism.
Routing Mechanism ASP.Net MVC

How can I use an ASP.NET MembershipProvider to carry over users' session data stored in cookies set by ColdFusion?

I'm working on adding a new webapp to an existing website. I've been directed to write the webapp in ASP.NET. The existing website is written in ColdFusion. For the most part, the ASP.NET webapp is completely stand-alone, but it needs to interact with the ColdFusion code in one important way - if somebody logs in to the ColdFusion site, we don't want them to have to log in again when visiting an ASP.NET page.
When someone logs in to the ColdFusion site, their username is stored in a cookie, along with a login token that can be looked up in our database. My .NET is a little rusty, so I'm having trouble visualizing how the ASP.NET code should use this data. I've already written a simple MembershipProvider that can be used to log in/out out the ASP.NET app using the data in our existing database tables, which are shared with the ColdFusion code.
What I'd like to know is - how can I make sure the ASP.NET app detects the cookies set by the ColdFusion app (I imagine they'd be sent to the ASP.NET pages, since everything is hosted on one domain), and automatically logs the user in using the MembershipProvider and Forms Authentication, using the credentials supplied in the cookie? I'm thinking that putting some kind of cookie check and log in function in the Global.asax file, set to run every page load for every page... but that seems kind of clunky. Also, do people still use the Global.asax file anyway? I had thought there was a more modern method.... Also, how can I manually log someone in using Forms Authentication and a custom membership provider? Currently my code allows the user to log in using the provided login control, but I'm not sure how to log the user in without them having to do anything.
Thanks in advance for any help. Looking over the MembershipProvider tutorials and the MSDN documentation it seems to me like the answer should be staring me in the face, but for some reason I just can't see it. Maybe not enough coffee....
Not sure if this is what you're looking for:
FormsAuthentication.SetAuthCookie("the username goes here",false);
Reference
I'm a CF developer ususally, but we had to do some integration with a .NET application recently and the way we approached it was to keep the CF and .NET sessions separate but ensure that login happened on both so when the user moved from one to the other they were still logged in.
So is there perhaps a way for you to hit your ASP.NET application with a request to login a user when you login using the CF application? Perhaps you could have an iframe on the page that you can load when the CF login is complete that holds a login service for the .NET app?
This way you would not need to worry about one app server reading the other app server's cookies, instead there would be two sets of cookies, one for ASP and one for CF.
Hope that helps!
The way I would approach it, is I would have a specific page that acts as a liaison between the CF and .NET layer. That page would implement your business layer and just check to see if the Cookie is there, if so read it in, do the lookup and login the user or whatever business logic that needs to be done. How would you accomplish the login/authentication, well that’s all based on your login/authentication code.
The only link I can offer is the basic of cookies in ASP.net
http://msdn.microsoft.com/en-us/library/aa289495(v=vs.71).aspx
Edit: found another link that might be helpful.
http://www.aspnettutorials.com/tutorials/network/cookies-csharp.aspx

ASP.NET Routing

I have a small task to do, and figured it would be better to start here than doing it wrong then coming here again.
I need to replace my URLs with a more friendly format as the following:
Current: www.MySite.com/default.aspx?userID=XX
I want it the users to type : www.MySite.com/user/(UserName)
Also, Current: www.MySite.com/default.aspx?userID=XX&ref#XX
I want the users to type: www.MySite.com/user/(UserName)/ref#{refno}
Thanks in advance
PS: I do not want to use Asp.net MVC.
You can use the MVC Routing Feature without using MVC, as it's a separate component built on top of ASP.net.
There is an article on 4GuysFromRolla about this.
You can use routing in Webforms:
Using ASP.NET Routing Without ASP.NET MVC
If you can, I'd just use IIS7 URL Rewriting for that. Your mapping configuration can go in your web.config, and you wouldn't have to change your application at all.
Friendly URL tutorial
IIS7 Rewriting and Web Forms

Resources