Beispiel #1
0
        // [ ENTRY POINT ]
        // Generates an anti-XSRF token pair for the current user. The return
        // value is the hidden input form element that should be rendered in
        // the <form>. This method has a side effect: it may set a response
        // cookie.
        public TagBuilder GetFormInputElement(HttpContextBase httpContext)
        {
            CheckSSLConfig(httpContext);

            AntiForgeryToken oldCookieToken = GetCookieTokenNoThrow(httpContext);
            AntiForgeryToken newCookieToken, formToken;

            GetTokens(httpContext, oldCookieToken, out newCookieToken, out formToken);

            if (newCookieToken != null)
            {
                // If a new cookie was generated, persist it.
                _tokenStore.SaveCookieToken(httpContext, newCookieToken);
            }

            if (!_config.SuppressXFrameOptionsHeader)
            {
                // Adding X-Frame-Options header to prevent ClickJacking. See
                // http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-10
                // for more information.
                httpContext.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
            }

            // <input type="hidden" name="__AntiForgeryToken" value="..." />
            TagBuilder retVal = new TagBuilder("input");

            retVal.Attributes["type"]  = "hidden";
            retVal.Attributes["name"]  = _config.FormFieldName;
            retVal.Attributes["value"] = _serializer.Serialize(formToken);
            return(retVal);
        }
Beispiel #2
0
        public void SaveCookieToken(HttpContext httpContext, AntiForgeryToken token)
        {
            // Add the cookie to the request based context.
            // This is useful if the cookie needs to be reloaded in the context of the same request.
            var contextAccessor = httpContext.RequestServices.GetRequiredService <IContextAccessor <AntiForgeryContext> >();

            Contract.Assert(contextAccessor.Value == null, "AntiForgeryContext should be set only once per request.");
            contextAccessor.SetValue(new AntiForgeryContext()
            {
                CookieToken = token
            });

            var serializedToken = _serializer.Serialize(token);
            var options         = new CookieOptions()
            {
                HttpOnly = true
            };

            // Note: don't use "newCookie.Secure = _config.RequireSSL;" since the default
            // value of newCookie.Secure is poulated out of band.
            if (_config.RequireSSL)
            {
                options.Secure = true;
            }

            httpContext.Response.Cookies.Append(_config.CookieName, serializedToken, options);
        }
Beispiel #3
0
        // [ ENTRY POINT ]
        // Generates an anti-XSRF token pair for the current user. The return
        // value is the hidden input form element that should be rendered in
        // the <form>. This method has a side effect: it may set a response
        // cookie.
        public TagBuilder GetFormInputElement(HttpContextBase httpContext)
        {
            CheckSSLConfig(httpContext);

            AntiForgeryToken oldCookieToken = GetCookieTokenNoThrow(httpContext);
            AntiForgeryToken newCookieToken, formToken;

            GetTokens(httpContext, oldCookieToken, out newCookieToken, out formToken);

            if (newCookieToken != null)
            {
                // If a new cookie was generated, persist it.
                _tokenStore.SaveCookieToken(httpContext, newCookieToken);
            }

            // <input type="hidden" name="__AntiForgeryToken" value="..." />
            TagBuilder retVal = new TagBuilder("input");

            retVal.Attributes["type"]  = "hidden";
            retVal.Attributes["name"]  = _config.FormFieldName;
            retVal.Attributes["value"] = _serializer.Serialize(formToken);
            return(retVal);
        }
Beispiel #4
0
        public void SaveCookieToken(HttpContext httpContext, AntiForgeryToken token)
        {
            var serializedToken = _serializer.Serialize(token);
            var options         = new CookieOptions()
            {
                HttpOnly = true
            };

            // Note: don't use "newCookie.Secure = _config.RequireSSL;" since the default
            // value of newCookie.Secure is poulated out of band.
            if (_config.RequireSSL)
            {
                options.Secure = true;
            }

            httpContext.Response.Cookies.Append(_config.CookieName, serializedToken, options);
        }
Beispiel #5
0
        public void SaveCookieToken(HttpContextBase httpContext, AntiForgeryToken token)
        {
            string     serializedToken = _serializer.Serialize(token);
            HttpCookie newCookie       = new HttpCookie(_config.CookieName, serializedToken)
            {
                HttpOnly = true
            };

            // Note: don't use "newCookie.Secure = _config.RequireSSL;" since the default
            // value of newCookie.Secure is automatically populated from the <httpCookies>
            // config element.
            if (_config.RequireSSL)
            {
                newCookie.Secure = true;
            }

            httpContext.Response.Cookies.Set(newCookie);
        }