public void ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken)
{
// Were the tokens even present at all?
if (sessionToken == null)
{
throw HttpAntiForgeryException.CreateCookieMissingException(_config.CookieName);
}
if (fieldToken == null)
{
throw HttpAntiForgeryException.CreateFormFieldMissingException(_config.FormFieldName);
}
// Do the tokens have the correct format?
if (!sessionToken.IsSessionToken || fieldToken.IsSessionToken)
{
throw HttpAntiForgeryException.CreateTokensSwappedException(_config.CookieName, _config.FormFieldName);
}
// Are the security tokens embedded in each incoming token identical?
if (!Equals(sessionToken.SecurityToken, fieldToken.SecurityToken))
{
throw HttpAntiForgeryException.CreateSecurityTokenMismatchException();
}
// Is the incoming token meant for the current user?
string currentUsername = String.Empty;
BinaryBlob currentClaimUid = null;
if (identity != null && identity.IsAuthenticated)
{
currentClaimUid = _claimUidExtractor.ExtractClaimUid(identity);
if (currentClaimUid == null)
{
currentUsername = identity.Name ?? String.Empty;
}
}
// OpenID and other similar authentication schemes use URIs for the username.
// These should be treated as case-sensitive.
bool useCaseSensitiveUsernameComparison = currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase);
if (!String.Equals(fieldToken.Username, currentUsername, (useCaseSensitiveUsernameComparison) ? StringComparison.Ordinal : StringComparison.OrdinalIgnoreCase))
{
throw HttpAntiForgeryException.CreateUsernameMismatchException(fieldToken.Username, currentUsername);
}
if (!Equals(fieldToken.ClaimUid, currentClaimUid))
{
throw HttpAntiForgeryException.CreateClaimUidMismatchException();
}
// Is the AdditionalData valid?
if (_config.AdditionalDataProvider != null && !_config.AdditionalDataProvider.ValidateAdditionalData(httpContext, fieldToken.AdditionalData))
{
throw HttpAntiForgeryException.CreateAdditionalDataCheckFailedException();
}
}
public AntiForgeryToken Deserialize(string serializedToken)
{
try {
using (MemoryStream stream = new MemoryStream(_cryptoSystem.Unprotect(serializedToken))) {
using (BinaryReader reader = new BinaryReader(stream)) {
AntiForgeryToken token = DeserializeImpl(reader);
if (token != null)
{
return(token);
}
}
}
} catch {
// swallow all exceptions - homogenize error if something went wrong
}
// if we reached this point, something went wrong deserializing
throw HttpAntiForgeryException.CreateDeserializationFailedException();
}
