Disabel CSRF Protection for specific .aspx page

VASANTH K asked on February 22, 2017 12:54

I have a set of aspx page to which deals custom sso login for my Kentico site, Where the sso server directly POST the SAML response to one my .aspx page, Its fine so far, Few days back we applied Hot Fix 9.0.50 which result following error

     Value cannot be null.
Parameter name: s
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ArgumentNullException: Value cannot be null.
Parameter name: s

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[ArgumentNullException: Value cannot be null.
Parameter name: s]
   System.Convert.FromBase64String(String s) +14096436
   CMS.Protection.CsrfProtection.OnPostMapRequestHandlerExecute(Object sender, EventArgs eventArgs) +414

[CsrfException: CSRF attack detected.]
   CMS.Protection.CsrfProtection.ThrowCsrfException(Exception innerException) +69
   CMS.Protection.CsrfProtection.OnPostMapRequestHandlerExecute(Object sender, EventArgs eventArgs) +537
   CMS.Base.AbstractHandler.CallEventHandler(EventHandler`1 h, TArgs e) +114
   CMS.Base.AbstractHandler.Raise(String partName, List`1 list, TArgs e, Boolean important) +914
   CMS.Base.SimpleHandler`2.RaiseExecute(TArgs e) +136
   CMS.Base.SimpleHandler`2.RaiseExecute(TArgs e) +172
   CMS.Base.SimpleHandler`2.StartEvent(TArgs e) +287
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +92

I know this is because SSO server directly post the response to Kentico site without token, so in order immediately fix this issue I added <add key="CMSEnableCsrfProtection" value="false" /> to web.config to get rid of error and site run smooth as before, but I want to know this will cause any security issue or is there any way to disable CsrfProtection for specific .aspx alone instead of global.

Recent Answers

Michal Samuhel answered on February 22, 2017 13:51

I believe that I had just discussed this with your colleague in a ticket.

Unfortunately it is not possible to disable protection on a single page in your version. This is possible from v10 hotfix 03 where we had created workaround as is described in following article:

http://devnet.kentico.com/articles/payment-gateways-and-csrf-protection

However exempting pages from protection is not exactly great approach either. I am not sure about your SSO setup, but best approach would be to avoid posting to any page that inherits from CMSPage and handle the post via some service, or other custom code as pages themselves should not receive posts from other sites, rather they should serve as a presentation context and let handlers and services work with integrations.

1 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.