// when the request comes in, decide whether it needs to be handled and then how. The Guard does it all.
private void HandleRequest(object sender, EventArgs args)
{
_guard = new CSRFGuard(sender);
// save session for later use when filtering the response
_session = new Token(_guard.CsrfTokenName, _guard.CsrfTokenValue);
}
// analyzes the session to detect a CSRF attack.
private void DetectCSRFAttempt()
{
_attackDetected = true; // fail safe
Token requestToken = new Token(CsrfTokenName, _context.Request[CsrfTokenName]);
Token thisToken = new Token(CsrfTokenName, CsrfTokenValue);
// Does the request have a CSRF token embedded? Does it match the one in session? If not, we caught an attack.
if (_context.Request[CsrfTokenName] != null)
{
if (requestToken == thisToken)
{
_attackDetected = false;
}
}
}