Ejemplo n.º 1
0
        /// <summary>
        /// Handles the request
        /// </summary>
        /// <returns>The awaitable task.</returns>
        /// <param name="context">The requests context.</param>
        public async Task <bool> HandleAsync(IHttpContext context)
        {
            var xsrf   = context.Request.Headers[XSRFHeaderName] ?? context.Request.Cookies[XSRFCookieName];
            var cookie = context.Request.Cookies[AuthSessionCookieName];

            SessionRecord session = null;

            if (!string.IsNullOrWhiteSpace(xsrf))
            {
                session = await ShortTermStorage.GetSessionFromXSRFAsync(xsrf);

                if (Utility.IsNullOrExpired(session))
                {
                    session = null;
                }
                else
                {
                    await RefreshSessionTokensAsync(context, session);
                }
            }

            if (session == null && !string.IsNullOrWhiteSpace(cookie))
            {
                session = await ShortTermStorage.GetSessionFromCookieAsync(cookie);

                if (Utility.IsNullOrExpired(session))
                {
                    session = null;
                }
                else
                {
                    await RefreshSessionTokensAsync(context, session);
                }
            }

            // Check that we have not already set the XSRF cookie
            if (context.Response.Cookies.FirstOrDefault(x => x.Name == XSRFCookieName) == null)
            {
                if (session == null)
                {
                    session = new SessionRecord()
                    {
                        XSRFToken = PRNG.GetRandomString(32),
                        Expires   = DateTime.Now.AddSeconds(ShortTermExpirationSeconds)
                    };
                    await ShortTermStorage.AddSessionAsync(session);
                }

                // If the connection is using SSL, require SSL for the cookie
                var usingssl = context.Request.SslProtocol != System.Security.Authentication.SslProtocols.None;

                context.Response.AddCookie(XSRFCookieName, session.XSRFToken, expires: session.Expires, httponly: false, secure: usingssl);
            }

            return(false);
        }
Ejemplo n.º 2
0
        /// <summary>
        /// Handles the request
        /// </summary>
        /// <returns>The awaitable task.</returns>
        /// <param name="context">The requests context.</param>
        public virtual async Task <bool> HandleAsync(IHttpContext context)
        {
            if (!ForceCheck && !string.IsNullOrWhiteSpace(context.Request.UserID))
            {
                return(false);
            }

            var xsrf   = context.Request.Headers[XSRFHeaderName];
            var cookie = context.Request.Cookies[AuthSessionCookieName];

            if (UseXSRFTokens && CheckXSRFToken && string.IsNullOrWhiteSpace(xsrf))
            {
                return(SetXSRFError(context));
            }

            if (UseXSRFTokens && CheckXSRFToken)
            {
                var session = await ShortTermStorage.GetSessionFromXSRFAsync(xsrf);

                if (Utility.IsNullOrExpired(session))
                {
                    return(SetXSRFError(context));
                }

                if (string.IsNullOrWhiteSpace(cookie) || session.Cookie != cookie)
                {
                    if (await LoginWithBasicAuth(context))
                    {
                        return(false);
                    }

                    if (await PerformLongTermLogin(context))
                    {
                        return(false);
                    }

                    // Check for a Hijack response
                    if (context.Response.HasSentHeaders)
                    {
                        return(true);
                    }

                    return(SetLoginError(context));
                }

                await RefreshSessionTokensAsync(context, session);

                context.Request.UserID = session.UserID;
            }
            else
            {
                SessionRecord session = null;

                if (!string.IsNullOrWhiteSpace(cookie))
                {
                    session = await ShortTermStorage.GetSessionFromCookieAsync(cookie);
                }

                if (Utility.IsNullOrExpired(session))
                {
                    if (await LoginWithBasicAuth(context))
                    {
                        return(false);
                    }

                    if (await PerformLongTermLogin(context))
                    {
                        return(false);
                    }

                    // Check for a Hijack response
                    if (context.Response.HasSentHeaders)
                    {
                        return(true);
                    }

                    return(SetLoginError(context));
                }

                await RefreshSessionTokensAsync(context, session);

                context.Request.UserID = session.UserID;
            }

            return(false);
        }
Ejemplo n.º 3
0
        /// <summary>
        /// Handles the request
        /// </summary>
        /// <returns>The awaitable task.</returns>
        /// <param name="context">The requests context.</param>
        public async Task <bool> HandleAsync(IHttpContext context)
        {
            var xsrf        = context.Request.Headers[XSRFHeaderName] ?? context.Request.Cookies[XSRFCookieName];
            var cookie      = context.Request.Cookies[AuthSessionCookieName];
            var longterm    = context.Request.Cookies[AuthCookieName];
            var droppedxsrf = false;

            if (!string.IsNullOrWhiteSpace(xsrf))
            {
                var session = await ShortTermStorage.GetSessionFromXSRFAsync(xsrf);

                if (session != null)
                {
                    await ShortTermStorage.DropSessionAsync(session);

                    droppedxsrf = true;
                }

                context.Response.AddCookie(XSRFCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0);
            }

            if (!string.IsNullOrWhiteSpace(cookie))
            {
                var session = await ShortTermStorage.GetSessionFromCookieAsync(cookie);

                if (session != null)
                {
                    await ShortTermStorage.DropSessionAsync(session);
                }

                if (session != null || droppedxsrf)
                {
                    context.Response.AddCookie(AuthSessionCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0);
                }
            }

            if (!string.IsNullOrWhiteSpace(longterm))
            {
                if (LongTermStorage != null)
                {
                    var pbkdf2 = new LongTermCookie(longterm);
                    if (pbkdf2.IsValid)
                    {
                        var lts = await LongTermStorage.GetLongTermLoginAsync(pbkdf2.Series);

                        if (lts != null)
                        {
                            await LongTermStorage.DropLongTermLoginAsync(lts);
                        }
                    }
                }

                context.Response.AddCookie(AuthCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0);
            }

            context.Response.StatusCode    = (HttpStatusCode)ResultStatusCode;
            context.Response.StatusMessage = ResultStatusMessage;
            if (!string.IsNullOrWhiteSpace(RedirectUrl))
            {
                context.Response.Headers["Location"] = RedirectUrl;
            }

            return(true);
        }
Ejemplo n.º 4
0
        /// <summary>
        /// Handles the request
        /// </summary>
        /// <returns>The awaitable task.</returns>
        /// <param name="context">The requests context.</param>
        public async Task <bool> HandleAsync(IHttpContext context)
        {
            var xsrf        = context.Request.Headers[XSRFHeaderName] ?? context.Request.Cookies[XSRFCookieName];
            var cookie      = context.Request.Cookies[AuthSessionCookieName];
            var longterm    = context.Request.Cookies[AuthCookieName];
            var droppedxsrf = false;

            if (!string.IsNullOrWhiteSpace(xsrf))
            {
                var session = await ShortTermStorage.GetSessionFromXSRFAsync(xsrf);

                if (session != null)
                {
                    // Kill the existing record
                    await ShortTermStorage.DropSessionAsync(session);

                    droppedxsrf = true;

                    // Register a new one on the same XSRF token,
                    // but without any user attached
                    await ShortTermStorage.AddSessionAsync(new SessionRecord()
                    {
                        UserID    = null,
                        Cookie    = null,
                        XSRFToken = session.XSRFToken,
                        Expires   = DateTime.Now.AddSeconds(ShortTermExpirationSeconds)
                    });
                }

                //context.Response.AddCookie(XSRFCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0);
            }

            if (!string.IsNullOrWhiteSpace(cookie))
            {
                var session = await ShortTermStorage.GetSessionFromCookieAsync(cookie);

                if (session != null)
                {
                    await ShortTermStorage.DropSessionAsync(session);
                }

                if (session != null || droppedxsrf)
                {
                    context.Response.AddCookie(AuthSessionCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0);
                }
            }

            if (!string.IsNullOrWhiteSpace(longterm))
            {
                if (LongTermStorage != null)
                {
                    var pbkdf2 = new LongTermCookie(longterm);
                    if (pbkdf2.IsValid)
                    {
                        var lts = await LongTermStorage.GetLongTermLoginAsync(pbkdf2.Series);

                        if (lts != null)
                        {
                            await LongTermStorage.DropLongTermLoginAsync(lts);
                        }
                    }
                }

                context.Response.AddCookie(AuthCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0);
            }

            context.Response.StatusCode    = (HttpStatusCode)ResultStatusCode;
            context.Response.StatusMessage = ResultStatusMessage;
            if (!string.IsNullOrWhiteSpace(RedirectUrl))
            {
                context.Response.Headers["Location"] = RedirectUrl;
            }

            return(true);
        }