CSRF defense approach

I'm trying to protect my .NET web site against CSRF attacks using a hidden key in every form and an special temp cookie, so when the user POST the form I can compare the temp cookie key and the hidden key in the form.

But I don't wanna use Session or other shared object to keep those temp keys, so I've come up with this way:

1. Browser ask for a form (GET).
2. App generates a key, [userId] + [currentDateTime], symmetrically encrypted with a key that my app knows.
3. App put that key in a hidden field in the form, and sent a cookie with that key too. Browser POST the form.

4. App ensures that:

   1. The cookie value and hidden form value are the same.
   2. Can obtain an [userId] from the decrypted value, and it's the current user id.
   3. Can obtain a [DateTime] from the decrypted value.
   4. [DateTime] obtained is not more than 15 min old.

5. Otherwise, reject POST and show error.开发者_JS百科

Do you see any flaw?

Kind regards.

The strategy you describe works in general, and is known as "Double Submitting Cookies". BUT there are a few things that you should know about

1. .net would have a framework to automatically take care of CSRF. You should find that out and use the recommended solution instead of building something on your own. Unfortunately, I am not a .net guy, so can't point at the right framework.
2. If you must build our own CSRF protection, you are better off using a cryptographic random number for the session id instead of encrypting userid + timestamp. There are ways to decrypt a key and even modify it if you are not careful. See Padding Oracle

Why don't you use the built in ViewState userkey? Populate that with the user's login name and you're done. This however doesn't do expiry.

If you don't have authenticated users or don't like that approach because you don't like viewstate then you could write an HTTP Module which inserts a hidden form field like the one I wrote and published on codeplex - you should be able to adjust that for expiry.