ASP.NET Core Identity registration XSRF/CSRF protection

I’m learning asp.net core 3.1 with Razor pages. While watching tutorials on identity/authentication/authorization, a common example approach for user creation/registration form is to wrap some IsAdmin checkbox or user role selection dropdown box inside a @if(User.IsInRole(...)) block, to be bound and checked later in post handlers. This makes such that regular users can register as guests/customers etc, while admins can create other admin roles.

So naturally I’m thinking about potential XSRF/CSRF attack where someone can forge a form with those checkboxes/dropdowns to create these roles.

I learned that asp.net Razor pages have built-in antiforgerytoken enabled on all POST forms. My question is, is it enough to protect against such attacks?

I’m thinking I can put a secondary check in the page model code post handler, to check for currently logged in user again like this:

if (Input.Role == MyRole.Admin && User.IsInRole(MyRole.Admin))
{
    //Create admin user
}

Would this offer more protection for privileged role creation? Or is it redundant? If it is still insufficient, any other methods should be considered?

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

I don’t see a problem with checking for the user’s role for extra security but what you should do is to separate your actions i.e, an action must have only one purpose and then depending on what level of access each action needs you can decorate it with the Authorize attribute like this:

[Authorize(Roles = "Administrator, PowerUser")]
public class ControlPanelController : Controller
{
    public ActionResult Stuff()
    {
    }

    [Authorize(Roles = "Administrator")]
    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult DoAdminStuff()
    {
    }
}

See here MS Docs


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x