howto implement Synchronizer Token Pattern in classic asp

Question

to prevent CSRF I want to implement the Synchronizer Token Pattern in my classic asp application.

I understand that iIshould generate a token in session_onstart. What I do not get is how to generate such a token as it should be random and unique. So a simple Rnd() and randomize will not work, right?

Furthermore should it be hashed in any way? How?

Thanks for any hints...

Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

Answer 1

I know the question has already been marked as Answered, but I found this post helpful (doesn't really answer your question), particularly the second response which references Chris Shiflett's article explaining CSRF and a simple solution (answers your question plus some).

Here is how you might convert Chris's PHP to VBScript:

Dim token
token = md5(GetGUID())
Session("token")=token
Session("token_time")=Time() ' if you want to allow for a small window of time

' checks to make sure the request method is truly a post-back
If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
    ' Prevent CSRF (Cross-Site Request Forgeries) by comparing request-generated tokens. See http://shiflett.org/articles/cross-site-request-forgeries
    If Request.Form("token") = Session("token") Then
        ' Request is a post-back and is not a CSRF  
    End If
End If

You can have a look at the md5() function (used to hash the GUID) here. The md5 hash isn't necessary, but does add another layer of uniqueness and security.

Answer 2

You could use a GUID as token:-

Function GetGUID()

    GetGUID = CreateObject("Scriptlet.TypeLib").GUID 

End Function