Remove session binding to the CSRF token, as it is unnecessary for serverless services on the backend.

claudiamurialdo · claudiamurialdo · commit d5880095027a · 2023-09-12T19:44:04.000-03:00
diff --git a/dotnet/src/dotnetcore/GxNetCoreStartup/CsrfHelper.cs b/dotnet/src/dotnetcore/GxNetCoreStartup/CsrfHelper.cs
@@ -62,29 +62,4 @@ internal static void SetAntiForgeryTokens(IAntiforgery _antiforgery, HttpContext
 		}
 
 	}
-	public class SessionIdAntiforgeryAdditionalDataProvider : IAntiforgeryAdditionalDataProvider
-	{
-		static readonly ILog log = log4net.LogManager.GetLogger(typeof(SessionIdAntiforgeryAdditionalDataProvider));
-		public string GetAdditionalData(HttpContext context)
-		{
-			context.NewSessionCheck();
-			GXLogging.Debug(log, $"Setting session id as additional CSRF token data:", context.Session.Id);
-			return context.Session.Id.Trim();
-		}
-
-		public bool ValidateAdditionalData(HttpContext context, string additionalData)
-		{
-			if (context.IsNewSession())
-			{
-				return true;
-			}
-			else
-			{
-				bool validSession = context.Session.Id.Trim().CompareTo(additionalData.Trim()) == 0 ? true : false;
-				GXLogging.Warn(log, $"Session id in CSRF token ({additionalData}) does not match the current session id ({context.Session.Id})");
-				return validSession;
-			}
-		}
-	}
-
 }
diff --git a/dotnet/src/dotnetcore/GxNetCoreStartup/Startup.cs b/dotnet/src/dotnetcore/GxNetCoreStartup/Startup.cs
@@ -253,7 +253,6 @@ public void ConfigureServices(IServiceCollection services)
 					options.HeaderName = HttpHeader.X_CSRF_TOKEN_HEADER;
 					options.SuppressXFrameOptionsHeader = false;
 				});
-				services.AddSingleton<IAntiforgeryAdditionalDataProvider, SessionIdAntiforgeryAdditionalDataProvider>();
 			}
 			services.AddDirectoryBrowser();
 			if (GXUtil.CompressResponse())
diff --git a/dotnet/src/dotnetframework/GxClasses/Helpers/CsrfHelper.cs b/dotnet/src/dotnetframework/GxClasses/Helpers/CsrfHelper.cs
@@ -4,14 +4,11 @@
 using System.Web.Helpers;
 using GeneXus.Application;
 using GeneXus.Utils;
-using log4net;
 
 namespace GeneXus.Http
 {
 	internal class CSRFHelper
 	{
-		//AntiForgeryConfig.AdditionalDataProvider = new SessionIdAntiforgeryAdditionalDataProvider();
-		
 		[SecuritySafeCritical]
 		internal static void ValidateAntiforgery(HttpContext context)
 		{
@@ -53,22 +50,4 @@ static void ValidateAntiforgeryImpl(HttpContext context)
 			}
 		}
 	}
-
-	
-	public class SessionIdAntiforgeryAdditionalDataProvider : IAntiForgeryAdditionalDataProvider
-	{
-		static readonly ILog log = log4net.LogManager.GetLogger(typeof(SessionIdAntiforgeryAdditionalDataProvider));
-		public string GetAdditionalData(HttpContextBase context)
-		{
-			GXLogging.Debug(log, $"Setting session id as additional CSRF token data:", context.Session.SessionID);
-			return context.Session.SessionID.Trim();
-		}
-		[SecuritySafeCritical]
-		public bool ValidateAdditionalData(HttpContextBase context, string additionalData)
-		{
-			bool validSession = context.Session.SessionID.Trim().CompareTo(additionalData.Trim()) == 0 ? true : false;
-			GXLogging.Warn(log, $"Session id in CSRF token ({additionalData}) does not match the current session id ({context.Session.SessionID})");
-			return validSession;
-		}
-	}
 }

Original file line number	Diff line number	Diff line change
`@@ -253,7 +253,6 @@ public void ConfigureServices(IServiceCollection services)`
`253`	`253`	`options.HeaderName = HttpHeader.X_CSRF_TOKEN_HEADER;`
`254`	`254`	`options.SuppressXFrameOptionsHeader = false;`
`255`	`255`	`});`
`256`		`- services.AddSingleton<IAntiforgeryAdditionalDataProvider, SessionIdAntiforgeryAdditionalDataProvider>();`
`257`	`256`	`}`
`258`	`257`	`services.AddDirectoryBrowser();`
`259`	`258`	`if (GXUtil.CompressResponse())`
Original file line number	Diff line number	Diff line change
`@@ -4,14 +4,11 @@`
`4`	`4`	`using System.Web.Helpers;`
`5`	`5`	`using GeneXus.Application;`
`6`	`6`	`using GeneXus.Utils;`
`7`		`-using log4net;`
`8`	`7`
`9`	`8`	`namespace GeneXus.Http`
`10`	`9`	`{`
`11`	`10`	`internal class CSRFHelper`
`12`	`11`	`{`
`13`		`- //AntiForgeryConfig.AdditionalDataProvider = new SessionIdAntiforgeryAdditionalDataProvider();`
`14`		`-`
`15`	`12`	`[SecuritySafeCritical]`
`16`	`13`	`internal static void ValidateAntiforgery(HttpContext context)`
`17`	`14`	`{`
`@@ -53,22 +50,4 @@ static void ValidateAntiforgeryImpl(HttpContext context)`
`53`	`50`	`}`
`54`	`51`	`}`
`55`	`52`	`}`
`56`		`-`
`57`		`-`
`58`		`- public class SessionIdAntiforgeryAdditionalDataProvider : IAntiForgeryAdditionalDataProvider`
`59`		`- {`
`60`		`- static readonly ILog log = log4net.LogManager.GetLogger(typeof(SessionIdAntiforgeryAdditionalDataProvider));`
`61`		`- public string GetAdditionalData(HttpContextBase context)`
`62`		`- {`
`63`		`- GXLogging.Debug(log, $"Setting session id as additional CSRF token data:", context.Session.SessionID);`
`64`		`- return context.Session.SessionID.Trim();`
`65`		`- }`
`66`		`- [SecuritySafeCritical]`
`67`		`- public bool ValidateAdditionalData(HttpContextBase context, string additionalData)`
`68`		`- {`
`69`		`- bool validSession = context.Session.SessionID.Trim().CompareTo(additionalData.Trim()) == 0 ? true : false;`
`70`		`- GXLogging.Warn(log, $"Session id in CSRF token ({additionalData}) does not match the current session id ({context.Session.SessionID})");`
`71`		`- return validSession;`
`72`		`- }`
`73`		`- }`
`74`	`53`	`}`