Home/ Questions/Q 3721880
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T05:42:25+00:00

I’m trying to protect my .NET web site against CSRF attacks using a hidden

  • 0

I’m trying to protect my .NET web site against CSRF attacks using a hidden key in every form and an special temp cookie, so when the user POST the form I can compare the temp cookie key and the hidden key in the form.

But I don’t wanna use Session or other shared object to keep those temp keys, so I’ve come up with this way:

  1. Browser ask for a form (GET).
  2. App generates a key, [userId] +
    [currentDateTime], symmetrically
    encrypted with a key that my app
    knows.
  3. App put that key in a hidden field
    in the form, and sent a cookie with
    that key too. Browser POST the form.

  4. App ensures that:

    1. The cookie value and hidden form value are the same.
    2. Can obtain an [userId] from the decrypted value, and it’s the current user id.
    3. Can obtain a [DateTime] from the decrypted value.
    4. [DateTime] obtained is not more than 15 min old.

  5. Otherwise, reject POST and show error.

Do you see any flaw?

Kind regards.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The strategy you describe works in general, and is known as “Double Submitting Cookies“. BUT there are a few things that you should know about

    1. .net would have a framework to automatically take care of CSRF. You should find that out and use the recommended solution instead of building something on your own. Unfortunately, I am not a .net guy, so can’t point at the right framework.
    2. If you must build our own CSRF protection, you are better off using a cryptographic random number for the session id instead of encrypting userid + timestamp. There are ways to decrypt a key and even modify it if you are not careful. See Padding Oracle
    • 0