search

deshion / socialauth-net

Automatically exported from code.google.com/p/socialauth-net
0 stars 0 forks source link

Implement CSRF protection #45

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
If it is not already implemented it would be a good feature to have.
I looked at the code for OAuth 2 and couldn't find this implementation.

FB example code of CSRF protection in php
https://developers.facebook.com/docs/authentication/

CSRF protection
http://en.wikipedia.org/wiki/Cross-site_request_forgery

I would guess it should be added here
Brickred.SocialAuth.NET.Core.OAuth2_0server.HandleAuthorizationCode()

Original issue reported on code.google.com by kun...@gmail.com on 22 Nov 2011 at 10:21

GoogleCodeExporter commented 9 years ago 
Hi,

Thanks for your great inputs. We'll explore more on this and try to incorporate 
it as per your suggestions.

thanks
Deepak

Original comment by daggar...@brickred.com on 23 Nov 2011 at 8:30

GoogleCodeExporter commented 9 years ago 
I did something like this in OAuth2_0server class. I think the state parameter 
is Facebook specific, not sure.

DirectUserToServiceProvider(){
     string CodeState = Guid.NewGuid().ToString();
     SessionManager.userSession.CodeState = CodeState;
     oauthParams.Add("state", CodeState);
}

HandleAuthorizationCode(QueryParameters responseCollection)
{
   if (responseCollection.HasName("state"))
   {
  var state = responseCollection["state"];
  var isValid = SessionManager.userSession.CodeState == state;
    if(!isValid)
    {
    throw new   OAuthException(ErrorMessages.CodeAuthorizationValidationFailed(provider.ProviderType, responseCollection));
    }
  }
}

Original comment by kun...@gmail.com on 30 Nov 2011 at 9:10

GoogleCodeExporter commented 9 years ago

Original comment by l...@brickred.com on 5 Jun 2012 at 11:00

GoogleCodeExporter commented 9 years ago

Original comment by deepak.a...@3pillarglobal.com on 25 Feb 2014 at 9:36