public void Security_ReturnUrlAndSecureCookie(HostType hostType)
{
using (ApplicationDeployer deployer = new ApplicationDeployer())
{
string applicationUrl = deployer.Deploy(hostType, ReturnUrlAndSecureCookieConfiguration);
string secureServerUri = new UriBuilder(applicationUrl)
{
Scheme = Uri.UriSchemeHttps
}.Uri.AbsoluteUri;
HttpClientHandler handler = new HttpClientHandler();
HttpClient httpClient = new HttpClient(handler);
// Unauthenticated request - verify Redirect url
HttpResponseMessage response = httpClient.GetAsync(applicationUrl).Result;
CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page", "MyRedirectUrl");
var validCookieCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test") });
response = httpClient.PostAsync(response.RequestMessage.RequestUri, validCookieCredentials).Result;
response.EnsureSuccessStatusCode();
//Verify cookie sent
Assert.False(handler.CookieContainer.Count != 1, "Forms auth cookie not received automatically after successful login");
Cookie loginCookie = handler.CookieContainer.GetCookies(new Uri(secureServerUri))[0];
Assert.Equal(loginCookie.Secure, true);
}
}
public void Security_CustomSecureDataHandler(HostType hostType)
{
using (ApplicationDeployer deployer = new ApplicationDeployer())
{
string applicationUrl = deployer.Deploy(hostType, CustomSecureDataHandlerConfiguration);
string homePath = applicationUrl + "Auth/Home";
string logoutPath = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath);
var handler = new HttpClientHandler();
var httpClient = new HttpClient(handler);
// Unauthenticated request
var response = httpClient.GetAsync(applicationUrl).Result;
CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page");
// Valid credentials
var validCookieCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test") });
response = httpClient.PostAsync(response.RequestMessage.RequestUri, validCookieCredentials).Result;
Assert.Equal <string>("OnResponseSignedIn.CustomSecureDataHandler", response.Content.ReadAsStringAsync().Result);
Assert.Equal <string>(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
var cookieBackup = handler.CookieContainer.GetCookies(new Uri(applicationUrl))[".AspNet.Cookies"];
for (int retryCount = 0; retryCount < 10; retryCount++)
{
response = httpClient.GetAsync(applicationUrl).Result;
Assert.Equal <string>("CustomSecureDataHandler", response.Content.ReadAsStringAsync().Result);
Assert.Equal <string>(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
}
//Logout the client
response = httpClient.GetAsync(logoutPath).Result;
Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout");
Assert.Equal <string>("Welcome Home", response.Content.ReadAsStringAsync().Result);
//Try login with a corrupt cookie to see that Exception notification is triggered.
handler.CookieContainer.Add(new Cookie("ExceptionTrigger", "true", "/", cookieBackup.Domain));
handler.CookieContainer.Add(cookieBackup);
response = httpClient.GetAsync(applicationUrl).Result;
Assert.Equal <string>("OnException.CustomSecureDataHandler", response.Content.ReadAsStringAsync().Result);
}
}
public void Security_PersistentCookie(HostType hostType)
{
using (ApplicationDeployer deployer = new ApplicationDeployer())
{
string applicationUrl = deployer.Deploy(hostType, PersistentCookieConfiguration);
string homePath = applicationUrl + "Auth/Home";
string logoutPath = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath);
var handler = new HttpClientHandler();
var httpClient = new HttpClient(handler);
// Unauthenticated request
var response = httpClient.GetAsync(applicationUrl).Result;
CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page");
// Valid credentials
var validPersistingCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test"), new kvp("rememberme", "on") });
response = httpClient.PostAsync(response.RequestMessage.RequestUri, validPersistingCredentials).Result;
response.EnsureSuccessStatusCode();
Assert.Equal <string>(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
//Verify cookie sent
Assert.True(handler.CookieContainer.Count == 1, "Did not receive one cookie as expected");
var cookie = handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0];
Assert.True(cookie != null && cookie.Name == "KATANACOOKIE", "Cookie with name 'KATANACOOKIE' not found");
Assert.True((cookie.Expires - DateTime.Now).Days > 10, "Did not receive a persistent cookie");
//Logout the client
response = httpClient.GetAsync(logoutPath).Result;
Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout");
Assert.Equal <string>(homePath, response.RequestMessage.RequestUri.AbsoluteUri);
//Try accessing protected resource again. It should get redirected to login page
response = httpClient.GetAsync(applicationUrl).Result;
CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry");
}
}
public void Security_HttpCookieOnlyAndCookiePath(HostType hostType)
{
using (ApplicationDeployer deployer = new ApplicationDeployer())
{
string applicationUrl = deployer.Deploy(hostType, HttpCookieOnlyAndCookiePathConfiguration);
string passiveAuthLoginPage = applicationUrl + "Auth/PassiveAuthLogin";
string homePath = applicationUrl + "Auth/Home";
string logoutPath = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath);
var handler = new HttpClientHandler();
var httpClient = new HttpClient(handler);
var response = httpClient.GetAsync(passiveAuthLoginPage).Result;
CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, passiveAuthLoginPage, "Unauthenticated requests not automatically redirected to login page");
var validCookieCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test") });
response = httpClient.PostAsync(response.RequestMessage.RequestUri, validCookieCredentials).Result;
//Verify cookie sent
Assert.Equal(2, handler.CookieContainer.Count);
CookieCollection cookies = handler.CookieContainer.GetCookies(new Uri(applicationUrl + "Auth"));
Cookie applicationCookie = cookies[CookieAuthenticationDefaults.CookiePrefix + "Application"];
Cookie temporaryCookie = cookies["TemporaryCookie"];
Assert.NotNull(applicationCookie);
Assert.NotNull(temporaryCookie);
Assert.True(applicationCookie.HttpOnly);
Assert.Equal("/", applicationCookie.Path);
Assert.False(temporaryCookie.HttpOnly);
Assert.Equal(temporaryCookie.Path, new Uri(applicationUrl).AbsolutePath + "Auth");
Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
//Logout the client
response = httpClient.GetAsync(logoutPath).Result;
Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout");
Assert.Equal(homePath, response.RequestMessage.RequestUri.AbsoluteUri);
}
}
public void Security_CookiesAuthDefaults(HostType hostType)
{
using (ApplicationDeployer deployer = new ApplicationDeployer())
{
string applicationUrl = deployer.Deploy(hostType, CookieAuthDefaultsConfiguration);
string homePath = applicationUrl + "Auth/Home";
string logoutPath = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath);
var handler = new HttpClientHandler();
var httpClient = new HttpClient(handler);
// Unauthenticated request
var response = httpClient.GetAsync(applicationUrl).Result;
CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page");
// Invalid credentials test
for (int retryCount = 0; retryCount < 2; retryCount++)
{
response = httpClient.PostAsync(response.RequestMessage.RequestUri, GetInValidCookieCredentials()).Result;
CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Invalid credentials - not automatically redirecting to login page with proper ReturnUrl");
}
// Valid credentials
response = httpClient.PostAsync(response.RequestMessage.RequestUri, GetValidCookieCredentials()).Result;
Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
//Verify cookie sent
Assert.False(handler.CookieContainer.Count != 1 ||
handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Name != "KATANACOOKIE",
string.Format("Forms auth cookie with expected name '{0}' not received automatically after successful login", "KATANACOOKIE"));
//Retry multiple times with valid cookie to test sliding expiration
for (int retryCount = 0; retryCount < 3; retryCount++)
{
Thread.Sleep(2 * 1000);
response = httpClient.GetAsync(applicationUrl).Result;
response.EnsureSuccessStatusCode();
Assert.Equal("ProtectedResource", response.Content.ReadAsStringAsync().Result);
Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
}
//Expire the cookie & verify if request is redirected to login page again
Thread.Sleep(3 * 1000);
response = httpClient.GetAsync(applicationUrl).Result;
response.EnsureSuccessStatusCode();
CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry");
//Reauthenticate with valid cookie & verify if protected resource is accessible again
response = httpClient.PostAsync(response.RequestMessage.RequestUri, GetValidCookieCredentials()).Result;
Assert.Equal("ProtectedResource", response.Content.ReadAsStringAsync().Result);
Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
//Make one successful call
response = httpClient.GetAsync(applicationUrl).Result;
//Now corrupt the cookie to see if this gets redirected to login page
string backUpCookieValue = handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Value;
handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Value = "invalid cookie value";
response = httpClient.GetAsync(applicationUrl).Result;
CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry");
//put back the valid cookie & verify protected resource is accessible again
handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Value = backUpCookieValue;
response = httpClient.GetAsync(applicationUrl).Result;
Assert.Equal("ProtectedResource", response.Content.ReadAsStringAsync().Result);
Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
//Logout the client
response = httpClient.GetAsync(logoutPath).Result;
Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout");
Assert.Equal("Welcome Home", response.Content.ReadAsStringAsync().Result);
//Try accessing protected resource again. It should get redirected to login page
response = httpClient.GetAsync(applicationUrl).Result;
CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry");
}
}
