1 year ago

#375252

test-img

fraguerr

Classic Asp Generate and Validate Anti Forgery Token

I have been stuck in this topic for a long time and I hope someone can help me.

I have an application written in asp classic. I must implement an antiforgery token in the form where I go to validate the data. My page is composed like this

<% Dim token
token = GetGUID()
Session("token")=token
%>
<html>
<head>
</head>
<boby>
...
...
<form method="post" action="../includes/CENT_FUNCTIONS.ASP">
<input type="hidden" value="<%=Session("token")%> name="token">
</form>
</body>
</html>

As you can see at the top in the asp code when opening the page I generate a GUID that I am going to save in a session variable. I generate the GUID with this vbs function

FUNCTION GetGUID()
    GetGUID = CreateObject("Scriptlet.TypeLib").GUID
END FUNCTION

So I'm going to save the session variable in a hidden field of the form. The action of the form goes to call another asp file where I will go to collect the form data to call a store procedure in the sql database. The file is written like this

<%
IF Request("token") = Session("token") THEN
    ID_CENT=Request.QueryString("ID_CENT")
    IDAZIENDA_CENT=Request("IDAZIENDA_CENT")
ELSE
    Response.Redirect "../notallowed.asp"
END IF
    
set command = Server.CreateObject("ADODB.Command") 
command.ActiveConnection = conn 
command.CommandText = "CAR_CENTRALINI_FUNZIONI" 
command.CommandType = adCmdStoredProc 

set objParameter = command.CreateParameter ("@ID_CENT", adInteger, adParamInput,,ID_CENT) 
command.Parameters.Append objParameter 

set objParameter = command.CreateParameter ("@IDAZIENDA_CENT", adInteger, adParamInput,,IDAZIENDA_CENT) 
command.Parameters.Append objParameter 

command.Execute , , adExecuteNoRecords 
                
Set command=Nothing
Set objParameter=Nothing

Response.Redirect "../Fonia/UT_Fonia_CENTRALINI.asp"

%>

So before collecting the form data I go to check if the token arrived is the same as the one stored in the session variable. But this comparison that I make in the IF condition always returns false.

Is this way I am using to generate and validate the anti forgery token correct? What am I doing wrong?

Thanks for any replies

html

vbscript

asp-classic

antiforgerytoken

0 Answers

Your Answer

Accepted video resources

Posts

Questions

Blogs

Jobs