public void VerifyCsrfToken()
{
HttpRequest currentRequest = ((Authenticator)Owasp.Esapi.Esapi.Authenticator()).CurrentRequest;
User currentUser = (User)Owasp.Esapi.Esapi.Authenticator().GetCurrentUser();
if (!currentUser.IsFirstRequest() && currentRequest.Params[currentUser.CsrfToken] == null)
{
throw new IntrusionException("Authentication failed", "Possibly forged HTTP request without proper CSRF token detected");
}
}
// FIXME: ENHANCE - add configuration for entry pages that don't require a token
/// <summary> Checks the CSRF token in the URL (see User.GetCSRFToken()) against the user's CSRF token and throws
/// an exception if they don't match.
/// </summary>
/// <seealso cref="Owasp.Esapi.Interfaces.IHttpUtilities.VerifyCsrfToken()">
/// </seealso>
public void VerifyCsrfToken()
{
IHttpRequest request = ((Authenticator)Esapi.Authenticator()).CurrentRequest;
User user = (User)Esapi.Authenticator().GetCurrentUser();
// if this is the first request after logging in, let them pass
if (user.IsFirstRequest())
{
return;
}
if (request[user.CsrfToken] == null)
{
throw new IntrusionException("Authentication failed", "Possibly forged HTTP request without proper CSRF token detected");
}
}
