public static Decrypt ( string encryptedTicket ) : System.Web.Security.FormsAuthenticationTicket | ||
encryptedTicket | string | |
return | System.Web.Security.FormsAuthenticationTicket |
protected void Page_Load(object sender, EventArgs e) { if (!IsPostBack) { // 1. 读登录Cookie HttpCookie cookie = Request.Cookies[FA.FormsCookieName]; if (cookie == null || string.IsNullOrEmpty(cookie.Value)) { return; } try { string userData = null; // 2. 解密Cookie值,获取FormsAuthenticationTicket对象 FormsAuthenticationTicket ticket = FA.Decrypt(cookie.Value); if (ticket != null && string.IsNullOrEmpty(ticket.UserData) == false) { // 3. 还原用户数据 userData = ticket.UserData; } //反序列化对象 Context.User = null; } catch { /* 有异常也不要抛出,防止攻击者试探。 */ } } }
//////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////// // Private method for decrypting a cookie private static FormsAuthenticationTicket ExtractTicketFromCookie(HttpContext context, String name, out bool cookielessTicket) { FormsAuthenticationTicket ticket = null; string encValue = null; bool ticketExpired = false; bool badTicket = false; try { try { //////////////////////////////////////////////////////////// // Step 0: Check if we should use cookieless cookielessTicket = CookielessHelperClass.UseCookieless(context, false, FormsAuthentication.CookieMode); //////////////////////////////////////////////////////////// // Step 1: Check URI/cookie for ticket if (cookielessTicket) { encValue = context.CookielessHelper.GetCookieValue('F'); } else { HttpCookie cookie = context.Request.Cookies[name]; if (cookie != null) { encValue = cookie.Value; } } //////////////////////////////////////////////////////////// // Step 2: Decrypt encrypted ticket if (encValue != null && encValue.Length > 1) { try { ticket = FormsAuthentication.Decrypt(encValue); } catch { if (cookielessTicket) { context.CookielessHelper.SetCookieValue('F', null); } else { context.Request.Cookies.Remove(name); } badTicket = true; //throw; } if (ticket == null) { badTicket = true; } if (ticket != null && !ticket.Expired) { if (cookielessTicket || !FormsAuthentication.RequireSSL || context.Request.IsSecureConnection) // Make sure it is NOT a secure cookie over an in-secure connection { return(ticket); // Found valid ticket } } if (ticket != null && ticket.Expired) { ticketExpired = true; } // Step 2b: Remove expired/bad ticket ticket = null; if (cookielessTicket) { context.CookielessHelper.SetCookieValue('F', null); } else { context.Request.Cookies.Remove(name); } } //////////////////////////////////////////////////////////// // Step 3: Look in QueryString if (FormsAuthentication.EnableCrossAppRedirects) { encValue = context.Request.QueryString[name]; if (encValue != null && encValue.Length > 1) { if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect) { cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode); // find out for sure } try { ticket = FormsAuthentication.Decrypt(encValue); } catch { badTicket = true; //throw; } if (ticket == null) { badTicket = true; } } // Step 3b: Look elsewhere in the request (i.e. posted body) if (ticket == null || ticket.Expired) { encValue = context.Request.Form[name]; if (encValue != null && encValue.Length > 1) { if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect) { cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode); // find out for sure } try { ticket = FormsAuthentication.Decrypt(encValue); } catch { badTicket = true; //throw; } if (ticket == null) { badTicket = true; } } } } if (ticket == null || ticket.Expired) { if (ticket != null && ticket.Expired) { ticketExpired = true; } return(null); // not found! Exit with null } if (FormsAuthentication.RequireSSL && !context.Request.IsSecureConnection) // Bad scenario: valid ticket over non-SSL { throw new HttpException(SR.GetString(SR.Connection_not_secure_creating_secure_cookie)); } //////////////////////////////////////////////////////////// // Step 4: Create the cookie/URI value if (cookielessTicket) { if (ticket.CookiePath != "/") { FormsAuthenticationTicket tempTicket = FormsAuthenticationTicket.FromUtc(ticket.Version, ticket.Name, ticket.IssueDateUtc, ticket.ExpirationUtc, ticket.IsPersistent, ticket.UserData, "/"); ticket = tempTicket; encValue = FormsAuthentication.Encrypt(ticket); } context.CookielessHelper.SetCookieValue('F', encValue); string strUrl = FormsAuthentication.RemoveQueryStringVariableFromUrl(context.Request.RawUrl, name); context.Response.Redirect(strUrl); } else { HttpCookie cookie = new HttpCookie(name, encValue); cookie.HttpOnly = true; cookie.Path = ticket.CookiePath; if (ticket.IsPersistent) { cookie.Expires = ticket.Expiration; } cookie.Secure = FormsAuthentication.RequireSSL; if (FormsAuthentication.CookieDomain != null) { cookie.Domain = FormsAuthentication.CookieDomain; } cookie.SameSite = FormsAuthentication.CookieSameSite; context.Response.Cookies.Remove(cookie.Name); context.Response.Cookies.Add(cookie); } return(ticket); } finally { if (badTicket) { WebBaseEvent.RaiseSystemEvent(null, WebEventCodes.AuditFormsAuthenticationFailure, WebEventCodes.InvalidTicketFailure); } else if (ticketExpired) { WebBaseEvent.RaiseSystemEvent(null, WebEventCodes.AuditFormsAuthenticationFailure, WebEventCodes.ExpiredTicketFailure); } } } catch { throw; } }
void OnAuthenticateRequest(object sender, EventArgs args) { HttpApplication app = (HttpApplication)sender; HttpContext context = app.Context; string cookieName; string cookiePath; string loginPage; bool slidingExpiration; InitConfig(context); if (_config == null || _config.Mode != AuthenticationMode.Forms) { return; } cookieName = _config.Forms.Name; cookiePath = _config.Forms.Path; loginPage = _config.Forms.LoginUrl; slidingExpiration = _config.Forms.SlidingExpiration; if (!VirtualPathUtility.IsRooted(loginPage)) { loginPage = "~/" + loginPage; } string reqPath = String.Empty; string loginPath = null; try { reqPath = context.Request.PhysicalPath; loginPath = context.Request.MapPath(loginPage); } catch {} // ignore context.SkipAuthorization = String.Compare(reqPath, loginPath, RuntimeHelpers.CaseInsensitive, Helpers.InvariantCulture) == 0; //TODO: need to check that the handler is System.Web.Handlers.AssemblyResourceLoader type string filePath = context.Request.FilePath; if (filePath.Length > 15 && String.CompareOrdinal("WebResource.axd", 0, filePath, filePath.Length - 15, 15) == 0) { context.SkipAuthorization = true; } FormsAuthenticationEventArgs formArgs = new FormsAuthenticationEventArgs(context); FormsAuthenticationEventHandler eh = events [authenticateEvent] as FormsAuthenticationEventHandler; if (eh != null) { eh(this, formArgs); } bool contextUserNull = (context.User == null); if (formArgs.User != null || !contextUserNull) { if (contextUserNull) { context.User = formArgs.User; } return; } HttpCookie cookie = context.Request.Cookies [cookieName]; if (cookie == null || (cookie.Expires != DateTime.MinValue && cookie.Expires < DateTime.Now)) { return; } FormsAuthenticationTicket ticket = null; try { ticket = FormsAuthentication.Decrypt(cookie.Value); } catch (ArgumentException) { // incorrect cookie value, suppress the exception return; } if (ticket == null || (!ticket.IsPersistent && ticket.Expired)) { return; } FormsAuthenticationTicket oldticket = ticket; if (slidingExpiration) { ticket = FormsAuthentication.RenewTicketIfOld(ticket); } context.User = new GenericPrincipal(new FormsIdentity(ticket), new string [0]); if (cookie.Expires == DateTime.MinValue && oldticket == ticket) { return; } cookie.Value = FormsAuthentication.Encrypt(ticket); cookie.Path = cookiePath; if (ticket.IsPersistent) { cookie.Expires = ticket.Expiration; } context.Response.Cookies.Add(cookie); }