// adapted from https://stackoverflow.com/a/4420114/6121074
/// <summary>
/// prevent http session fixation attack by generating a new http session ID upon login
/// </summary>
/// <remarks>
/// https://www.owasp.org/index.php/Session_Fixation
/// </remarks>
/// <returns>new session ID</returns>
public static string RegenerateSessionId()
{
// create a new session id
var manager = new SessionIDManager();
var oldId = manager.GetSessionID(HttpContext.Current);
var newId = manager.CreateSessionID(HttpContext.Current);
manager.SaveSessionID(HttpContext.Current, newId, out bool redirected, out bool cookieAdded);
// retrieve the current session
var application = HttpContext.Current.ApplicationInstance;
var session = (SessionStateModule)application.Modules.Get("Session");
var fields = session.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
// parse the session fields
SessionStateStoreProviderBase store = null;
FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
SessionStateStoreData rqItem = null;
foreach (var field in fields)
{
switch (field.Name)
{
case "_store":
store = (SessionStateStoreProviderBase)field.GetValue(session);
break;
case "_rqId":
rqIdField = field;
break;
case "_rqLockId":
rqLockIdField = field;
break;
case "_rqSessionStateNotFound":
rqStateNotFoundField = field;
break;
case "_rqItem":
rqItem = (SessionStateStoreData)field.GetValue(session);
break;
}
}
// remove the session from the store
var lockId = rqLockIdField.GetValue(session);
if (lockId != null && oldId != null)
{
store.RemoveItem(HttpContext.Current, oldId, lockId, rqItem);
}
// assign the new id to the session
// the session will be added back to the store, with the new id, on the next http request
rqStateNotFoundField.SetValue(session, true);
rqIdField.SetValue(session, newId);
return(newId);
}
private string RegenrateSessionId()
{
var manager = new SessionIDManager();
HttpContext context = System.Web.HttpContext.Current;
string oldId = manager.GetSessionID(context);
string newId = manager.CreateSessionID(context);
bool isAdd = false, isRedir = false;
manager.SaveSessionID(context, newId, out isRedir, out isAdd);
var ctx = (HttpApplication)System.Web.HttpContext.Current.ApplicationInstance;
HttpModuleCollection mods = ctx.Modules;
var ssm = (SessionStateModule)mods.Get("Session");
FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
SessionStateStoreProviderBase store = null;
FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
foreach (FieldInfo field in fields)
{
if (field.Name.Equals("_store"))
{
store = (SessionStateStoreProviderBase)field.GetValue(ssm);
}
if (field.Name.Equals("_rqId"))
{
rqIdField = field;
}
if (field.Name.Equals("_rqLockId"))
{
rqLockIdField = field;
}
if (field.Name.Equals("_rqSessionStateNotFound"))
{
rqStateNotFoundField = field;
}
}
if (rqLockIdField != null)
{
object lockId = rqLockIdField.GetValue(ssm);
if ((lockId != null) && (oldId != null))
{
if (store != null)
{
store.ReleaseItemExclusive(context, oldId, lockId);
}
}
}
if (rqStateNotFoundField != null)
{
rqStateNotFoundField.SetValue(ssm, true);
}
if (rqIdField != null)
{
rqIdField.SetValue(ssm, newId);
}
return(newId);
}
protected void ReGenerateSessionId()
{
SessionIDManager manager = new SessionIDManager();
string oldId = manager.GetSessionID(System.Web.HttpContext.Current);
string newId = manager.CreateSessionID(System.Web.HttpContext.Current);
bool isAdd = false, isRedir = false;
manager.RemoveSessionID(System.Web.HttpContext.Current);
manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedir, out isAdd);
//Store data from old session
HttpApplication ctx = System.Web.HttpContext.Current.ApplicationInstance;
HttpModuleCollection mods = ctx.Modules;
SessionStateModule ssm = (SessionStateModule)mods.Get("Session");
FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
SessionStateStoreProviderBase store = null;
FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
SessionStateStoreData rqItem = null;
foreach (FieldInfo field in fields)
{
if (field.Name.Equals("_store"))
{
store = (SessionStateStoreProviderBase)field.GetValue(ssm);
}
if (field.Name.Equals("_rqId"))
{
rqIdField = field;
}
if (field.Name.Equals("_rqLockId"))
{
rqLockIdField = field;
}
if (field.Name.Equals("_rqSessionStateNotFound"))
{
rqStateNotFoundField = field;
}
if ((field.Name.Equals("_rqItem")))
{
rqItem = (SessionStateStoreData)field.GetValue(ssm);
}
}
object lockId = rqLockIdField.GetValue(ssm);
if ((lockId != null) && (oldId != null))
{
store.RemoveItem(System.Web.HttpContext.Current, oldId, lockId, rqItem);
}
rqStateNotFoundField.SetValue(ssm, true);
rqIdField.SetValue(ssm, newId);
}
public ActionResult Login(int?id)
{
//Session.Abandon();
SessionIDManager manager = new SessionIDManager();
manager.RemoveSessionID(System.Web.HttpContext.Current);
var oldId = manager.GetSessionID(System.Web.HttpContext.Current);
var newId = manager.CreateSessionID(System.Web.HttpContext.Current);
var isRedirected = true;
var isAdded = true;
manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedirected, out isAdded);
System.Web.HttpContext.Current.Session["sessionid"] = newId;
HttpApplication ctx = (HttpApplication)System.Web.HttpContext.Current.ApplicationInstance;
HttpModuleCollection mods = ctx.Modules;
System.Web.SessionState.SessionStateModule ssm = (SessionStateModule)mods.Get("Session");
System.Reflection.FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
SessionStateStoreProviderBase store = null;
System.Reflection.FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
foreach (System.Reflection.FieldInfo field in fields)
{
if (field.Name.Equals("_store"))
{
store = (SessionStateStoreProviderBase)field.GetValue(ssm);
}
if (field.Name.Equals("_rqId"))
{
rqIdField = field;
}
if (field.Name.Equals("_rqLockId"))
{
rqLockIdField = field;
}
if (field.Name.Equals("_rqSessionStateNotFound"))
{
rqStateNotFoundField = field;
}
}
object lockId = rqLockIdField.GetValue(ssm);
if ((lockId != null) && (oldId != null))
{
store.ReleaseItemExclusive(System.Web.HttpContext.Current, oldId, lockId);
}
rqStateNotFoundField.SetValue(ssm, true);
rqIdField.SetValue(ssm, newId);
ViewBag.CompanyID = id;
ViewBag.Message = id.HasValue ? "" : "缺少公司标识";
ViewBag.ThirdLoginUrl = string.Format("{0}?client_id={1}&redirect_uri={2}&state={3}&response_type=code", authorizeUrl, clinetId, redirectUri, state);
return(View());
}
public static void RegenrateSessionId()
{
Authorization.AuthoCookie.RegenerateAuthoCookie();
SessionIDManager manager = new SessionIDManager();
string oldId = manager.GetSessionID(HttpContext.Current);
string newId = manager.CreateSessionID(HttpContext.Current);
bool isAdd = false, isRedir = false;
manager.SaveSessionID(HttpContext.Current, newId, out isRedir, out isAdd);
HttpApplication ctx = (HttpApplication)HttpContext.Current.ApplicationInstance;
HttpModuleCollection mods = ctx.Modules;
System.Web.SessionState.SessionStateModule ssm = (SessionStateModule)mods.Get("Session");
System.Reflection.FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
SessionStateStoreProviderBase store = null;
System.Reflection.FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
foreach (System.Reflection.FieldInfo field in fields)
{
if (field.Name.Equals("_store"))
{
store = (SessionStateStoreProviderBase)field.GetValue(ssm);
}
if (field.Name.Equals("_rqId"))
{
rqIdField = field;
}
if (field.Name.Equals("_rqLockId"))
{
rqLockIdField = field;
}
if (field.Name.Equals("_rqSessionStateNotFound"))
{
rqStateNotFoundField = field;
}
}
object lockId = rqLockIdField.GetValue(ssm);
if ((lockId != null) && (oldId != null))
{
store.ReleaseItemExclusive(HttpContext.Current, oldId, lockId);
}
rqStateNotFoundField.SetValue(ssm, true);
rqIdField.SetValue(ssm, newId);
}
protected void RegisterBtn_Click(object sender, EventArgs e)
{
//create random session id
SessionIDManager manager = new SessionIDManager();
string newID = manager.CreateSessionID(Context);
bool redirected = false;
bool isAdded = false;
manager.SaveSessionID(Context, newID, out redirected, out isAdded);
string currSessionID = manager.GetSessionID(Context);
string guid = Guid.NewGuid().ToString();
Session["AuthToken"] = guid;
Response.Cookies.Add(new HttpCookie("AuthToken", guid));
// Response.Cookies.Add(new HttpCookie("currSessionID", currSessionID));
Response.Redirect("Registration.aspx");
}
public void Session_End()
{
var sessionId = m.GetSessionID(System.Web.HttpContext.Current);
if (Sessions.ContainsKey(sessionId))
{
Sessions.TryGetValue(sessionId, out var podatak);
if (podatak != null)
{
var sessionStart = podatak.pocetakSesije;
var sessionEnd = DateTime.Now;
var duration = sessionEnd - sessionStart;
Sessions.First(a => a.Key.Equals(sessionId)).Value.trajanjeSesije = duration.ToString();
}
// slanje bazi pre brisanja dictionary unosa
Sessions.Remove(sessionId);
}
Session.Clear();
Session.Abandon();
}