public static void AddSessionFixationProtectionCookie(HeContext heContext)
{
if (UseSessionFixationProtection())
{
if (!heContext.IsReadOnlySessionRequest)
{
if (StringUtils.EqualsIgnoreCase(heContext.Session.TerminalType, "WEB"))
{
string randomPart = String.Empty + GetRandomLongNumber() + GetRandomLongNumber();
HttpCookie protectionValueCookie = GetCookieByName(heContext.Context.Request.Cookies, heContext.AppInfo.SessionFixationProtectionCookieName);
heContext.Session.SessionFixationProtectionOld = protectionValueCookie == null ? "" : protectionValueCookie.Value;
heContext.Session.SessionFixationProtection = randomPart;
heContext.PendingSessionProtectionValidation = false;
HttpCookie cookie = new HttpCookie(heContext.AppInfo.SessionFixationProtectionCookieName, randomPart);
cookie.Path = SESSION_FIXATION_PROTECTION_COOKIE_PATH;
SecureCookieUtils.setSecureCookie(cookie, heContext.Context.Response);
if (Settings.GetBool(Settings.Configs.DebugSessionFixationProtection))
{
GeneralLog.StaticWrite(DateTime.Now, heContext.Session.SessionID, heContext.AppInfo.eSpaceId, 0, heContext.Session.UserId, "OldSessionFixationProtectionCookie (" + heContext.Session.SessionFixationProtectionOld + "); NewSessionFixationProtectionCookie(" + heContext.Session.SessionFixationProtection + ")", "INFO", "SESSION", null);
}
heContext.Session.SessionFixationProtectionExpirationInstant = DateTime.Now.AddSeconds(Settings.GetInt(Settings.Configs.SessionFixationAllowedOverlapWindowInSecs));
}
}
}
}
internal static void DeleteCookie(HeContext heContext, string cookieName, string cookiePath)
{
var cookie = GetCookieByName(heContext.Context.Request.Cookies, cookieName);
if (cookie != null)
{
cookie.Value = String.Empty;
cookie.Path = cookiePath;
cookie.Expires = DateTime.Now;
SecureCookieUtils.setSecureCookie(cookie, heContext.Context.Response);
}
}
public static void ValidateSessionFixationCookieAgainstSession(HeContext heContext)
{
// Process SessionFixationProtection cookie
if (!heContext.IsReadOnlySessionRequest)
{
if (Settings.GetBool(Settings.Configs.EnableSessionFixationProtection) && heContext.Session.TerminalType == "WEB")
{
string protectionValueInSession = heContext.Session.SessionFixationProtection;
if (protectionValueInSession != null && heContext.PendingSessionProtectionValidation)
{
HttpCookie protectionValueCookie = GetCookieByName(heContext.Context.Request.Cookies, heContext.AppInfo.SessionFixationProtectionCookieName);
heContext.PendingSessionProtectionValidation = false;
if (protectionValueCookie == null || (protectionValueCookie != null && !protectionValueInSession.Equals(protectionValueCookie.Value)))
{
if (Settings.GetBool(Settings.Configs.DebugSessionFixationProtection))
{
GeneralLog.StaticWrite(DateTime.Now, heContext.Session.SessionID, heContext.AppInfo.eSpaceId, 0, heContext.Session.UserId,
"Session fixation mismatch with current cookie (session:" + protectionValueInSession + " cookie:" + (protectionValueCookie == null ? "null" : protectionValueCookie.Value) + ")", "INFO", "SESSION", null);
}
var protectionValueCookieValue = protectionValueCookie == null || protectionValueCookie.Value == null ? "" : protectionValueCookie.Value;
if (DateTime.Now < heContext.Session.SessionFixationProtectionExpirationInstant && heContext.Session.SessionFixationProtectionOld.Equals(protectionValueCookieValue))
{
//previous session fixation cookie still accepted within the timeframe
//send current cookie again
HttpCookie cookie = new HttpCookie(heContext.AppInfo.SessionFixationProtectionCookieName, heContext.Session.SessionFixationProtection);
cookie.Path = SESSION_FIXATION_PROTECTION_COOKIE_PATH;
SecureCookieUtils.setSecureCookie(cookie, heContext.Context.Response);
if (Settings.GetBool(Settings.Configs.DebugSessionFixationProtection))
{
GeneralLog.StaticWrite(DateTime.Now, heContext.Session.SessionID, heContext.AppInfo.eSpaceId, 0, heContext.Session.UserId,
"(repeat) CurrentSessionFixationProtectionCookie (" + heContext.Session.SessionFixationProtection + ")", "INFO", "SESSION", null);
}
return;
}
if (Settings.GetBool(Settings.Configs.DebugSessionFixationProtection))
{
GeneralLog.StaticWrite(DateTime.Now, heContext.Session.SessionID, heContext.AppInfo.eSpaceId, 0, heContext.Session.UserId, "Session fixation mismatch with old cookie (old:" + heContext.Session.SessionFixationProtectionOld + " cookie:" + (protectionValueCookie == null ? "null" : protectionValueCookie.Value) + ")", "INFO", "SESSION", null);
}
// Clear the session cookie to avoid locking the user to an invalid session in the next request. This might not work when we have session cookies bound to the domain,
// but it would help the rare case when people get locked with no reason to simply retry the request and continue.
DeleteSessionCookie(heContext);
throw new Exception("Session fixation mismatch");
}
}
}
}
}
private static void AddOrUpdatePersistentLoginEntryAndCookie(HeContext heContext, Transaction trans, int tenantId, int userId, int persistentLoginId, DateTime expirationDateTime, string operationName)
{
if (persistentLoginId == 0 || expirationDateTime == DateTime.MinValue)
{
int daysToRememberLogin = Settings.GetInt(Settings.Configs.RememberLoginTimeoutInDays);
TimeSpan timeSpan = new TimeSpan(daysToRememberLogin, 0, 0, 0);
expirationDateTime = DateTime.Now.Add(timeSpan);
}
// This method is not protected by UseSessionFixationProtection() on purpose
// What happens here is supposed to happen, regardless of the value of that setting
string terminalType = heContext.Session.TerminalType;
bool addCookieToResponse = false;
string cookieValue;
switch (heContext.Session.TerminalType)
{
case "SMS":
cookieValue = heContext.Session.MSISDN;
break;
case "WEB":
default:
terminalType = "WEB";
addCookieToResponse = true;
cookieValue = Guid.NewGuid().ToString();
break;
}
DBRuntimePlatform.Instance.AddOrUpdatePersistentLoginEntry(trans, persistentLoginId, tenantId, userId, cookieValue, expirationDateTime, terminalType, operationName);
if (addCookieToResponse)
{
HttpCookie cookie = new HttpCookie(heContext.AppInfo.PersitentLoginCookieName, cookieValue);
cookie.Path = PERSISTENT_LOGIN_COOKIE_PATH;
cookie.Expires = expirationDateTime;
SecureCookieUtils.setSecureCookie(cookie, heContext.Context.Response);
}
}
private static void AddOrUpdatePersistentLoginEntryAndCookie(HeContext heContext, Transaction trans, int tenantId, int userId, int persistentLoginId, DateTime expirationDateTime, string operationName)
{
if (persistentLoginId == 0 || expirationDateTime == DateTime.MinValue)
{
int daysToRememberLogin = RuntimePlatformSettings.Authentication.RememberLoginTimeoutInDays.GetValue();
TimeSpan timeSpan = new TimeSpan(daysToRememberLogin, 0, 0, 0);
expirationDateTime = DateTime.Now.Add(timeSpan);
}
// This method is not protected by UseSessionFixationProtection() on purpose
// What happens here is supposed to happen, regardless of the value of that setting
string cookieValue = Guid.NewGuid().ToString();
DBRuntimePlatform.Instance.AddOrUpdatePersistentLoginEntry(trans, persistentLoginId, tenantId, userId, cookieValue, expirationDateTime, /*terminalType*/ "WEB", operationName);
HttpCookie cookie = new HttpCookie(heContext.AppInfo.PersitentLoginCookieName, cookieValue)
{
Path = PERSISTENT_LOGIN_COOKIE_PATH,
Expires = expirationDateTime
};
SecureCookieUtils.setSecureCookie(cookie, heContext.Context.Response);
}
