Various questions

Mar 24, 2009 at 2:30 PM
Hi,

I am looking at using AntiCSRF but have a few questions:

  1. Is there any reason why you don't generate a new token for each request, i.e. the token could only be used once? This would surely raise the bar against a CSRF attack than having the same token used for the entire session?
  2. For POST requests, storing and comparing the token in the form field and the cookie allows protection. If you replaced the form field with Session storage would this not allow protection for GET as well as POST requests?

I look forward to your response.

Thanks in advance,

Mike.

Coordinator
Mar 24, 2009 at 2:38 PM
Hi Mike

So ..

  1. Tabbed browsing. I did this with my initial attempt and let a friend test it who laughed very hard and asked me what would happen if someone had two windows on the same site open. A one time token doesn't work in this case, as the second window will overwrite the first windows token and *bang*
  2. I didn't want to depend on session for a couple of reasons. People may not be using session at all (I know I try to avoid it and disable it when I can) or, if I enforced it, it would required shared session state if you used multiple machines. Plus it puts all the protection on a cookie (well two, the session cookie and the token cookie), so that created a single attack point. By using a form token it means two areas would have to be compromised.
I'm aware this doesn't protect GET requests. Of course really you shouldn't need to protect get requests at all, as they should be idempotent requests. However a number of people have asked for it, so I'm mulling over how to proceed. The usual way is a token in the URL, and this is probably my favoured approach for the same reason as not relying on session state. Of course making it automatic is a whole other problem :)

Barrry
Mar 24, 2009 at 3:25 PM

Barry,

Thansk for the very quick response.

  1. Ha. Bang indeed. Hadn't thought about that. Curse these modern browsers!!!
  2. Fair comments and I see your point. Afterall, from what I've read, even protection such as that offered by your project can still be circumvented, its just about how far you can reasonably raise the bar.

Thanks again,

Mike.

 

Coordinator
Mar 24, 2009 at 5:15 PM
Another thought. The problem with using the session id and avoiding a form token is that the system ID is carried as a cookie. So I could then create a form on a remote site and submit it. The CSRF cookie comes with the request and is compared with ... another cookie which has come with the request. So no protection at all :)
Mar 25, 2009 at 8:45 AM

Yep, fair comment again.

I've been thinking more about the one-time token and for my purposes this still looks like a go-er, despite the tabbed browsing issue. Reason being is that my apps are heavy on the GET request, read-only type screens and light on the POST request, insert/update/delete screens. Therefore, I can live with the occasional "Bad Request" message being displayed to a user *if* they are using browser tabs as it comes with the benefit of an ever changing token.

I was going to modify the source and make the one-time token optional (based on settings in the .config file). If you are happy I can submit these back to you for inclusion in the trunk? Entirely up to you of course....

On the cookie vs. form field vs. session, I agree with what you've said. I'm happy to stick with the cookie and form field.

Thanks again,

Mike.

Coordinator
Mar 25, 2009 at 8:50 AM
I'm going to rip out the token creation code this month to look at supporting GET requests and session linkage anyway, so I think whatever you submit as a patch may need to be redone when I do that bit. Just a warning rather than "Please don't!"

I'm wondering, if your GET requests are read only why you feel the need for a token anyway? Am I missing something here?
Mar 25, 2009 at 9:02 AM

Ah, ok then. I will just make the changes here for the moment and see what else you come up with in the next few weeks :-)

As for GET requests, I agree. However, a pedantic security consultant could (and he probably will) say:

"You say all of your GET requests are idempotent but have you tested each and every one, every time you make a release?"

They would also see the part about "... only POST requests are protected..." and leap on it, saying they is still "potential" to attack the GET requests.

Ho hum.

Mike.

Coordinator
Mar 25, 2009 at 9:04 AM
Are you saying that some security consultants aren't pedantic? Wow. Freaks :)
May 28, 2009 at 6:58 PM
Edited May 28, 2009 at 6:59 PM

Just started looking at this solution. Pretty slick, from what I've seen so far.  I just finished reading a paper that gives a very good, detailed overview of CSRF in the real world (http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf). One of the things that popped out at me was that the ASP.NET MVC framework uses GET requests exclusively!!

Cheers!

Coordinator
May 28, 2009 at 9:19 PM

A couple of points - you can use POST in ASP.NET MVC, and indeed you should, with the POST, Redirect GET pattern, but it's up to you to use it. In any case the ASP.NET MVC bits have their own Anti Forgery Token

Jun 25, 2009 at 10:31 AM

hi, im trying to implement these modules using visual studio 2008, but when im trying to run, but there are these errors occurs inside the webconfig..

 

 

Line 22:       </sectionGroup>
Line 23:     </sectionGroup>
Line 24:     <csrfSettings cookieName="__CSRFCOOKIE" formFieldName="__CSRFTOKEN" detectionResult="RaiseException" errorPage="" />
Line 25:   </configSections>
Line 26:   <appSettings/>

 

 

regarding the cookies..do i nd to set another name instead of using default values??/

correct if im wrong, this code must apply to every each request form is it??

 

thank you!!

Coordinator
Jun 25, 2009 at 10:40 AM

Well what's the error you're getting?

The settings section needs to be outside of the <configSections /> - that is just for setting up strong binding.

If you look at the sample web site you will see it looks like this;

	<configSections>
....
<section name="csrfSettings" type="Idunno.AntiCsrf.Configuration.CsrfSettings, Idunno.AntiCsrf" />
</configSections>

<csrfSettings cookieName="__CSRFCOOKIE" formFieldName="_CSRFTOKEN" detectionResult="RaiseException" errorPage="" />

The values in the sample application are, in fact, the default. If you're happy with those you don't need to change them at all.

And yes, the code will add a token to every page that contains a <form runat="server"> unless you specifically exclude them.
Jun 25, 2009 at 11:46 AM

thank you..the errors solved ..

 

i try to run again and it seems that the code didnt works.

How im testing:

when user login, they must key in the field for the item id and the item number. after clicking the button all datas that user entered will be displayed in the label at the same page.

then  i closed the browser n oopen new one..

in the new open browser, i paste that URL n enter with different value...

but still i can do same thing as for authorised user did..

im i test it right??

in my code, i used session for the user id, should i remove that session??

 

thank you!!

 

 

Coordinator
Jun 25, 2009 at 12:03 PM

AntiCSRF is not a user authorization mechanism, but rather a way to stop people faking forms on their web sites and submitting it to yours. What you seem to be describing is a persistant authentication cookie, which is down to whatever mechanism you are using to do perform that.

If you want to see how it works you should save a protected form to your desktop, then edit the form action to point to your development server. Then either close your browser, and then open your local copy and try to submit it, or load the local copy into another browser (Firefox if your original browser is IE for example), load the local form from your desktop and submit it. You should see an exception.

Jun 26, 2009 at 2:42 AM

Actually i am testing on the submit form not on the authentication form one. but thanks for the info...


i'll try to run in the development server like u said..

correct me the way on testing it...

i have ISS 7, i put the project folder(called AntiCsrf) inside the root..like this (" C:\inetpub\wwwroot\AntiCsrf "

then in the open browser, i type <"http://localhost/AntiCsrf/"> but this error hapens:


Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.  This error can be caused by a virtual directory not being configured as an application in IIS.

Source Error: 

Line 84:             ASP.NET to identify an incoming user. 
Line 85:         -->
Line 86:     <authentication mode="Forms"/>
Line 87:     <!--
Line 88:             The <customErrors> section enables configuration 

is it the wat u talking just now??

<If you want to see how it works you should save a protected form to your desktop, then edit the form action to point to your development server. Then either close your browser, and then open your local copy and try to submit it, or load the local copy into another browser (Firefox if your original browser is IE for example), load the local form from your desktop and submit it. You should see an exception.>

thx >.<
Jun 26, 2009 at 4:38 AM

greetings..

 

can help me on how to run it?? i ady follow the guide, left out how to run it..

just wanna c how it woks...i'm using your idunno.antiCsrf.sampleWeb.sln..

 

thank you

Coordinator
Jun 26, 2009 at 5:23 AM

The error you're seeing is from ASP.NET and is probably because you created a virtual directory to the project rather than a complete new application. But the download comes with a test project, SampleWeb, which you can run from within Visual Studio quite happily.

As for running it, well once it's added as a module within web.config that's it. You can check it's running by viewing the source on any page containing a server form, where you should see a new hidden input field containing the token.

Jun 26, 2009 at 6:53 AM

sorry..im still having the running problem..


is that means that i need to put all the test project inside the server?? coz i when i did that, this error on parser error occured. when i check the code, this error is caused by the server error..!!

hmmm, did i not doing write?? im sorry im not familiar on using the development server. usually i just runnig it by clicking the 'build' button..

here r the error look like::

Server Error in '/' Application.

Parser Error

Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately. 

Parser Error Message: Could not load type 'Idunno.AntiCsrf.SampleWeb.protectedPage'.

Source Error: 

Line 1:  <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="protectedPage.aspx.cs" Trace="true" Inherits="Idunno.AntiCsrf.SampleWeb.protectedPage" %>
Line 2:  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Line 3:  <html xmlns="http://www.w3.org/1999/xhtml" >

PLease HELP >.<


Coordinator
Jun 26, 2009 at 7:01 AM

Running it within Visual Studio works just fine by building then choosing run. You don't need to put the test project anywhere - the solution is setup to work completly within Visual Studio and does not require IIS.

Jun 26, 2009 at 7:09 AM
but then.. why im having the error said that it couldn't load the page after i clicked the button?? waht does it mean??

couldn't load both pages protectedPage.aspx or unprotectedPage.aspx

thx >.<
Coordinator
Jun 26, 2009 at 7:23 AM

Which button are you talking about? What did the error say?

If you choose run from within Visual Studio then you should see three buttons, one to test the protected page, and two to test unprotected pages.

If you enter a value in the "Submit to protected page" box and hit submit you will see a CSRF exception. This shows it's working.

If you enter a value in either of the other two boxes and submit those you will see a successful page display, showing that the excluding of pages work.

Finally if you click the "Browse to protected page via GET" link you will see a successful page load. This is in fact the protected page that errored at the beginning. As you loaded the page via a GET request you can now submit to it and it will no longer through an exception, showing that it all functions as expected.

Jun 26, 2009 at 7:46 AM
3?? i only saw 2 buttons..one for one unprotectedPage and one 4 unprotectedPage. i hope u clear on the problem i faced..
thx

after click start debugg button, this page open: 

AntiCSRF Demonstration Page

Submit to a protected page

 

Submit to a unprotected page

 

when i clicked the either of two these errors occured

Server Error in '/idunno.AntiCSRF.SampleWeb' Application.

Parser Error

Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately. 

Parser Error Message: Could not load type 'Idunno.AntiCsrf.SampleWeb.protectedPage'.

Source Error: 

Line 1:  <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="protectedPage.aspx.cs" Trace="true" Inherits="Idunno.AntiCsrf.SampleWeb.protectedPage" %>
Line 2:  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Line 3:  <html xmlns="http://www.w3.org/1999/xhtml" >

Source File: /idunno.AntiCSRF.SampleWeb/protectedPage.aspx    Line: 


Version Information: Microsoft .NET Framework Version:2.0.50727.1434; ASP.NET Version:2.0.50727.1434

Coordinator
Jun 26, 2009 at 8:41 AM

It sounds like you haven't compiled the demo application. Did you run it by using F5?

I've updated the demo site with hopefully clear instructions - please grab the latest changeset and try again. You will want to use the code in Trunk, and there are definitely three buttons.

Jun 26, 2009 at 9:02 AM
ok..dwonload the new version..thx

i used the sampleWebs in the trunk..F5 it and the demo page appeared together with the test page..(correct me if im wrong)

question: 
1) after i open, should i need to change or add anythg?? i just add reference inside the bin only.
2) when i submit the value in for the protectedPage button, this wat hapens(errors: Could not load type 'Idunno.AntiCsrf.SampleWeb.protectedPage'): it supposed to runningn this way???? did i miss anything?? 

Server Error in '/idunno.AntiCSRF.SampleWeb' Application.

Parser Error

Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately. 

Parser Error Message: Could not load type 'Idunno.AntiCsrf.SampleWeb.protectedPage'.

Source Error: 

Line 1:  <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="protectedPage.aspx.cs" Trace="true" Inherits="Idunno.AntiCsrf.SampleWeb.protectedPage" %>
Line 2:  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Line 3:  <html xmlns="http://www.w3.org/1999/xhtml" >

Source File: /idunno.AntiCSRF.SampleWeb/protectedPage.aspx    Line: 

thank you
Coordinator
Jun 26, 2009 at 9:05 AM

You should have to change anything, just compile and go. You shouldn't need to add references anywhere, the demo project already has them. Load the entire solution rather than just the test site.

Jun 26, 2009 at 10:44 AM
but..from your manual(read.me) u said have to add reference into the bin..so now i dont need to add that rite..
 
if i dont add that .dll inside the bin..i got this error:

Server Error in '/idunno.AntiCSRF.SampleWeb' Application.

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately. 

Parser Error Message: Could not load file or assembly 'Idunno.AntiCsrf' or one of its dependencies. The system cannot find the file specified. (C:\Users\Administrator\Documents\Visual Studio 2008\WebSites\idunno.AntiCSRF.SampleWeb\web.config line 15)

Source Error: 

Line 13: 		<authentication mode="None"/>
Line 14: 		<httpModules>
Line 15: 			<add name="AntiCSRF" type="Idunno.AntiCsrf.AntiCsrfModule, Idunno.AntiCsrf"/>
Line 16: 		</httpModules>
Line 17: 	</system.web>

Source File: C:\Users\Administrator\Documents\Visual Studio 2008\WebSites\idunno.AntiCSRF.SampleWeb\web.config    Line: 15 

 

sori for troublesome..just wanna know y still cannot run..is it anythg to with my machine configuration??

thx


Coordinator
Jun 26, 2009 at 11:37 AM

The readme refers to your own applications, not the demo app. The demo app has a reference to the module project, and so must be compiled in the context of the solution which also contains the module. Opening the solution, as opposed to the web project on its own links the two together and compiling and then running the complete solution will create the assembly.

You should not be attempting to load the sample web as a web site inside Visual Studio, load the .SLN file.

Jun 29, 2009 at 1:45 AM
hi blowdart...

it's been a while..

correct me if im wrong,
in Visual studio, i open the solution n open the file in the trunk folder. inside it should i open the one in the .webSample folder, or just the file solution outside??

becoz when i open that one.. this messagebox appeared: 

"the sources control provider associated with this solution could not be found. The projects will be treated as not under source control.
Do you want to permanently remove the source control bindings from the projects?"

if i click either "yes" or "no", this message appeared...
 
"A project with an output type of class library cannot be started directly. In order to debug this project, add an executable project with references the library project. Set the executable project as the startup project."

my questions are: 
 1) what are the messages means.
 2) did i miss something else?? i tried to what u teach me..but still i cant manage to solve the problem..
 3) do u mind assist me in step by step of how to run the demo one?? 

Jun 29, 2009 at 3:51 AM
Dear blowdart..

i tried to load as the website instead of the solution u told me..and yes, i can run the project ady...now i want to try the mimic by the atacker part. but im not understande wat the point 2 means: 

2. Open the saved .html file in an editor and change the action parameter in the form to point to the form hosted within VS (http://localhost:4646/protectedPage).


  1. what is saved.html? is the source file that we saved in the local based on point no.1
  2. which part should i change into??
  3. instead of saying the the errors is "missing the CSRF cookie and that the sample form does not contain a valid CSRF token." can i configure it to be maybe to killsession?

tq~ >.<
Coordinator
Jun 29, 2009 at 4:36 AM

Ah this is the joy of pulling from source control.

You can ignore and remove the bindings message. To run the web right click on it and choose Set as Default project.

These occur because you're pulling download a copy of my version, which is configured to use CodePlex as source control. You won't need that, and it won't work as you don't have access to the TFS bits here.

For your other question the saved HTML file is whatever you called the one you copied to your desktop. And CSRF tokens have nothing to do with sessions and are not linked to it in any way.

Jun 29, 2009 at 5:04 AM
why..


when i run the web again, for the protectedPage, there r errors on RaiseError Method. it says...

"PotentialCsrfException was unhanded by the user" and it highlight the "}" part..

its not running like the first time i run which are successfull.


regarding the killsession: is that another way that is similar to killsession where if there is an attack, the system will log out the that particular user!!

tqvm!!
Coordinator
Jun 29, 2009 at 5:44 AM

It's supposed to raise an exception, that's the point!

As for killing sessions - well I don't want a dependancy on sessions, nor would I want any dependancy really. How could I know what you're doing to authentication? Is it forms, claims, OpenID, Passport etc.

What you could do is add a global error handler in global.asax. Because there are custom exceptions raised you could catch those there and then logout your user and do what you want.

Jun 29, 2009 at 6:47 AM


yes, i understand but..b4 this it will pop up new page show the exception, but now it shows exception                                                                                                             inside the VS .why??                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
Jun 29, 2009 at 7:33 AM

if i want to use your code inside my project, i just need to follow the ReadMe.txt only?? how i want to test it?

Coordinator
Jun 29, 2009 at 8:23 AM

Because that's what VS *does* when you're debugging.

 

And yes, if all you want to do is use the module then just follow the read me. To test it, well, then you need to know what CSRF is, and simulate an attack. The instructions to view source, create and edit a local copy are the easiest in the sample app are the easiest,

Jun 29, 2009 at 9:19 AM
ok... 

  1. what if..if the user copy the address and open in new browser. can user still submitting the form? 
  2. when browser is closed, does it delete the available cookies.? 
  3. as for your discussion with mike regarding the running in two browser, is it solved?
tq


Coordinator
Jun 29, 2009 at 9:40 AM
  1. Yes
  2. Yes
  3. Yes
Jun 29, 2009 at 9:55 AM
  1. don't understand... if cookies is deleted, then y user still can submit the forms even in different browser? isn't it one of the way an attacker can do??
  2. if your code fix this, how im supposed to test it based on the sampleWeb??
  3. i try to simulate the ways of an attacker based on your instruction on page that doest have idunno.anticsrf.dll..why i got same output as the one that have anticsrf??

thx
Coordinator
Jun 29, 2009 at 10:06 AM
  1. No. Because a page with a form must be loaded via a GET request first, and GET requests are not destructive (unless you've broken the HTTP specs and made them so). You cannot submit a form without first GETing it.
  2. By following the sample web instructions, or by viewing the source of a protected form, saving it onto another web site, closing your browser to delete the cookie and then loading the other web site URL and submitting it.
  3. Then you're simulating it wrongly. If your forms contain CSRF tokens (which you can see with a View Source) and you're doing it as an attacker would, saving that, publishing it elsewhere and then trying to submit in a new browser session you will see the exception.
Jun 30, 2009 at 1:48 AM
  1. so u means that, u have to used method GET to get that successfully? not the POST? i thought POST is much more secure than GET..
  2. what does it mean by saving it onto another website? is not just saved it in different name n save it on local?? or create new website in the VS..??
  3. if i want to set timer in submit pages, n dont want to apply codes on each page, is there a way that i can configure somewhere inside the webconfig, so that i can just call it onces!??

tq
Jun 30, 2009 at 3:02 AM
back to the questions regarding the when user copying the URL and paste in in the different browser...
u means thats not one of the CSRF attack?? 

i noticed that the cookies is different, but user still can submit the form rite. if still user can do that, how we to make sure that user cannot submit the forms.

tqvm
Coordinator
Jun 30, 2009 at 4:09 AM

What you're describing is not a CSRF attack; I don't think so anyway. If you want to stop a new user submitting the form then add authentication and authorization to it.

Jun 30, 2009 at 4:16 AM

when i applied to my code. why it connot get the exception error?? i only got "the page was  broken" or "not found"..

i wonder why??
Jun 30, 2009 at 4:24 AM
wat does it means by antiscrfmodule is missing..do u still wanna debug it??



Coordinator
Jun 30, 2009 at 4:36 AM

The page is broken is not a .NET error, so I don't know what you're seeing here. Nor have I see this do you want to debug it message

Jun 30, 2009 at 4:52 AM
ok.

the problem that im having now is.. u said that if it was protected..when user enter value n submit it, user will b directed to the the exception page...

the problem here, instead exception page, i got this kind of error for set action:

Server Error in '/WebSite9' Application.

HTTP Error 404 - Not Found.


Version Information: ASP.NET Development Server 9.0.0.0 


Server Error in '/' Application.

The resource cannot be found.

Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly.

Requested URL: /Forget.aspx

Coordinator
Jun 30, 2009 at 5:03 AM

You only get the error if a user if the form submission is a PUT request and the user does not have a token, or the token the user has mismatches the one on the form.

If you're submitting to a URL which doesn't exist, as the 404 shows then nothing is going to help here, as the page doesn't exist

Jun 30, 2009 at 6:26 AM
if not PUT request,,coz im using the method=POST
 
so what should i do to change it...?? my protected page only have the 2 texboxt and 1 label to display..same like sampleWeb. do i need to put checking for cookies inside the page load??
 
 
Coordinator
Jun 30, 2009 at 7:08 AM

It all depends on what you're trying to achieve. What you describe isn't a CSRF attack to me, but a more generic problem.

If you can explain more fully you might have better luck asking on a generic technical help forum, like the MSDN ASP.NET forums or Stack Overflow.

Jun 30, 2009 at 9:28 AM

how to display error exception on web browser.?


if i press f5 ,the unhandled exception by the user appeared showed inside VS code. but when i right click n view in browser..it's run fine..


why is this happen??


tq

Jul 1, 2009 at 1:34 AM
hi..

may in know wther this code can be apply to the asp classic??

if yes, can u show me how, n if no can u give me some idea about it..??


thank you!!
Jul 1, 2009 at 7:08 AM

when i try to run inside the developmetn server this page showed instead the the exception page.: What this error means n how to solved it, since i already follow the readme file?

Could not find any resources appropriate for the specified culture or the neutral culture.  Make sure "Idunno.AntiCsrf.Properties.Resources.resources" was correctly embedded or linked into assembly "Idunno.AntiCSRF" at compile time, or that all the satellite assemblies required are loadable and fully signed.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture.  Make sure "Idunno.AntiCsrf.Properties.Resources.resources" was correctly embedded or linked into assembly "Idunno.AntiCSRF" at compile time, or that all the satellite assemblies required are loadable and fully signed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace:

[MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture.  Make sure "Idunno.AntiCsrf.Properties.Resources.resources" was correctly embedded or linked into assembly "Idunno.AntiCSRF" at compile time, or that all the satellite assemblies required are loadable and fully signed.]
   System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) +655
   System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) +681
   System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) +681
   System.Resources.ResourceManager.GetString(String name, CultureInfo culture) +77
   Idunno.AntiCsrf.AntiCsrfModule.PreRequestHandlerExecute(Object source, EventArgs eventArgs) +626
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +92
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64
Coordinator
Jul 1, 2009 at 1:02 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Coordinator
Jul 1, 2009 at 1:04 PM

OK that's a definite bug. I assume you're not running this on an English Operating System?

I've asked someone who knows internationalisation for help on this :)

 

As for ASP classic, no it won't work, you'd have to manually add tokens, cookies and check them I'm afraid.

Jul 2, 2009 at 6:36 AM

i was told it was a run time error, but i dont knw it means. but thankz..i found a solution under microsoft, where it lookss similar, but im not understand it..(http://support.microsoft.com/kb/839861)

for asp, manually means, i have to apply it on every page is it??

thx
Coordinator
Jul 2, 2009 at 6:40 AM

If that gets you running for now great, but I'd like to solve the underlying problem.

Can you tell me what culture your Operating System is configured for? English? French? German?

Jul 2, 2009 at 7:30 AM

its English..no mistaken ady!!


thx
Coordinator
Jul 2, 2009 at 11:35 AM

OK so he's had a look and, spelling mistakes aside, I'm doing resources the right way. it's been pointed out that the error is on line 626 in the module, but the module isn't that big, there is no line 626,

So are you using the assembly from the MSI? Or compiling your own? Or putting the source somewhere in your own existing project?

Jul 2, 2009 at 9:26 PM
yes, i downloaded the MSI one, but only have antiCsrf.dll inside..no assembly.
 
im not adding or putting anythg coz u the instruction said jz the reference and add the add some code at the webconfig..
 
correct me ig im wrong!!
 
tq
Jul 3, 2009 at 5:00 AM
from the demo..i can c there are resource.resx there...is that the
files that are missing?? or where the problems occured?? how can i
compiled it together with my code??

tq!!

On 03/07/2009, dunk00 <notifications@codeplex.com> wrote:
> From: dunk00
>
> yes, i downloaded the MSI one, but only have antiCsrf.dll inside..no
> assembly. im not adding or putting anythg coz u the instruction said jz the
> reference and add the add some code at the webconfig.. correct me ig im
> wrong!! tq
>
>
Nov 6, 2013 at 8:36 AM
mikevanoo wrote:
Yep, fair comment again. I've been thinking more about the one-time token and for my purposes this still looks like a go-er, despite the tabbed browsing issue. Reason being is that my apps are heavy on the GET request, read-only type screens and light on the POST request, insert/update/delete screens. Therefore, I can live with the occasional "Bad Request" message being displayed to a user if they are using browser tabs as it comes with the benefit of an ever changing token. I was going to modify the source and make the one-time token optional (based on settings in the .config file). If you are happy I can submit these back to you for inclusion in the trunk? Entirely up to you of course.... On the cookie vs. form field vs. session, I agree with what you've said. I'm happy to stick with the cookie and form field. Thanks again, Mike.
Hi Mike,

I am looking at using AntiCSRF too. Could you tell me how to make the one-time token optional (based on settings in the .config file)?

Thanks in advance,
Khoa