IntraWeb Archive

New Feature in IntraWeb XIV: CSRF prevention

New Feature in IntraWeb XIV: CSRF prevention

CRSF (Cross-site request forgery) is a malicious exploit of a website or web application where unauthorized commands are transmitted from a user that the web application or web site trusts.

Read more about CRSF attacks here.

One of the most effective ways to prevent CRSF is known as Synchronizer Token Pattern, where a secret token is checked at each request. If the tokens don’t match, then it may be a CRSF attack and you just show an error to the user. To prevent this, IntraWeb has now a new property on ServerController, named CheckFormId (under SecurityOptions, default value is FALSE):

When this property is TRUE, each IWForm instance receives its own unique token (in fact, a GUID). This token is rendered as a hidden input field, named IW_FormId. Each subsequent request processed by this form (sync or async) will retrieve the IW_FormId hidden field value and compare it against the form’s ID. If the IDs match, then the form processing continues, otherwise a exception is raised and there is no further processing.