Ejemplo n.º 1
0
    /// <summary>
    /// Check a user autologinkey to performs the automatic login if
    /// match.
    /// If success, the request continue being processing but with a
    /// new session and new authentication cookie being sent in the response.
    /// If no user, no key matches, just continue without auth session, the code after this
    /// must check if authentication is effective (with WebSecurity.IsAuthenticated, for example);
    /// even on fail, it ends current session (anyway, at the beggining).
    /// </summary>
    /// <param name="userid"></param>
    /// <param name="autologinkey"></param>
    public static void Autologin(string userid, string autologinkey)
    {
        // Clear current session to avoid conflicts:
        if (HttpContext.Current.Session != null)
        {
            HttpContext.Current.Session.Clear();
        }

        using (var db = Database.Open("sqlloco"))
        {
            // Get user email by userid
            var userEmail = db.QueryValue(@"
                SELECT  email
                FROM    userprofile
                WHERE   userid = @0
            ", userid);

            // Invalid ID? Out
            if (String.IsNullOrEmpty(userEmail))
            {
                return;
            }

            if (IsAccountLockedOut(userEmail))
            {
                throw new ConstraintException(AccountLockedErrorMessage);
            }

            var p = db.QueryValue(@"
                SELECT  Password
                FROM    webpages_Membership
                WHERE   UserId=@0
            ", userid);

            // No password saved? out! (avoid exception with encryptor later)
            if (String.IsNullOrEmpty(p))
            {
                return;
            }

            // If auto

            // TODO For performance and security, save a processed autologinkey in database
            // and check against that rather than do this tasks every time; auto compute on
            // any password change.
            // Check if autologinkey and password (encrypted and then converted for url) match
            if (autologinkey == LcEncryptor.ConvertForURL(LcEncryptor.Encrypt(p)))
            {
                // Autologin Success
                // New authentication cookie: Logged!
                System.Web.Security.FormsAuthentication.SetAuthCookie(userEmail, false);

                LcData.UserInfo.RegisterLastLoginTime(userid.AsInt(), userEmail);
            }
        }
    }
Ejemplo n.º 2
0
 /// <summary>
 /// Get the key that enable the user to autologged from url, to
 /// be used by email templates.
 /// </summary>
 /// <param name="userid"></param>
 /// <returns></returns>
 public static string GetAutologinKey(int userid)
 {
     try
     {
         using (var db = Database.Open("sqlloco"))
         {
             var p = db.QueryValue(@"
                 SELECT  Password
                 FROM    webpages_Membership
                 WHERE   UserId=@0
             ", userid);
             return(LcEncryptor.ConvertForURL(LcEncryptor.Encrypt(p)));
         }
     }
     catch { }
     return(null);
 }
Ejemplo n.º 3
0
 /// <summary>
 /// Creates a unique authorization token for a user using its ID and password.
 /// #827
 /// The internal generation of the token is based on the original Autologin, using encryption
 /// of the (already) encrypted password made suitable for use in URL, but on this case it
 /// includes the userID along the password as the text to encrypt and adapt.
 /// Length of the result is ever 216 ASCII characters.
 /// </summary>
 /// <param name="userid"></param>
 /// <returns></returns>
 public static string CreateTokenFromUserPassword(int userID)
 {
     try
     {
         using (var db = Database.Open("sqlloco"))
         {
             var p = db.QueryValue(@"
                 SELECT  Password
                 FROM    webpages_Membership
                 WHERE   UserId=@0
             ", userID);
             return(LcEncryptor.ConvertForURL(LcEncryptor.Encrypt(userID.ToString() + "::::" + p)));
         }
     }
     catch { }
     return(null);
 }
Ejemplo n.º 4
0
    /// <summary>
    /// Creates a token based on a new GUID and the userID.
    /// Benefit from CreateTokenFromUserPassword, this is different any time is generated.
    /// Note: using GUID should not require adding the userID, even maybe don't use an encryption and
    /// sanitization for URL, but just reusing that until be sure
    /// </summary>
    /// <param name="userID"></param>
    /// <returns></returns>
    public static string CreateUserGuidToken(int userID)
    {
        var guid = Guid.NewGuid();

        return(LcEncryptor.ConvertForURL(LcEncryptor.Encrypt(userID.ToString() + "::::" + guid)));
    }