public void Security_ReturnUrlAndSecureCookie(HostType hostType)
        {
            using (ApplicationDeployer deployer = new ApplicationDeployer())
            {
                string applicationUrl  = deployer.Deploy(hostType, ReturnUrlAndSecureCookieConfiguration);
                string secureServerUri = new UriBuilder(applicationUrl)
                {
                    Scheme = Uri.UriSchemeHttps
                }.Uri.AbsoluteUri;

                HttpClientHandler handler    = new HttpClientHandler();
                HttpClient        httpClient = new HttpClient(handler);

                // Unauthenticated request - verify Redirect url
                HttpResponseMessage response = httpClient.GetAsync(applicationUrl).Result;
                CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page", "MyRedirectUrl");

                var validCookieCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test") });
                response = httpClient.PostAsync(response.RequestMessage.RequestUri, validCookieCredentials).Result;
                response.EnsureSuccessStatusCode();

                //Verify cookie sent
                Assert.False(handler.CookieContainer.Count != 1, "Forms auth cookie not received automatically after successful login");
                Cookie loginCookie = handler.CookieContainer.GetCookies(new Uri(secureServerUri))[0];

                Assert.Equal(loginCookie.Secure, true);
            }
        }
Ejemplo n.º 2
0
        public void Security_CustomSecureDataHandler(HostType hostType)
        {
            using (ApplicationDeployer deployer = new ApplicationDeployer())
            {
                string applicationUrl = deployer.Deploy(hostType, CustomSecureDataHandlerConfiguration);
                string homePath       = applicationUrl + "Auth/Home";
                string logoutPath     = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath);

                var handler    = new HttpClientHandler();
                var httpClient = new HttpClient(handler);

                // Unauthenticated request
                var response = httpClient.GetAsync(applicationUrl).Result;
                CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page");

                // Valid credentials
                var validCookieCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test") });
                response = httpClient.PostAsync(response.RequestMessage.RequestUri, validCookieCredentials).Result;
                Assert.Equal <string>("OnResponseSignedIn.CustomSecureDataHandler", response.Content.ReadAsStringAsync().Result);
                Assert.Equal <string>(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
                var cookieBackup = handler.CookieContainer.GetCookies(new Uri(applicationUrl))[".AspNet.Cookies"];

                for (int retryCount = 0; retryCount < 10; retryCount++)
                {
                    response = httpClient.GetAsync(applicationUrl).Result;
                    Assert.Equal <string>("CustomSecureDataHandler", response.Content.ReadAsStringAsync().Result);
                    Assert.Equal <string>(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
                }

                //Logout the client
                response = httpClient.GetAsync(logoutPath).Result;
                Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout");
                Assert.Equal <string>("Welcome Home", response.Content.ReadAsStringAsync().Result);

                //Try login with a corrupt cookie to see that Exception notification is triggered.
                handler.CookieContainer.Add(new Cookie("ExceptionTrigger", "true", "/", cookieBackup.Domain));
                handler.CookieContainer.Add(cookieBackup);
                response = httpClient.GetAsync(applicationUrl).Result;
                Assert.Equal <string>("OnException.CustomSecureDataHandler", response.Content.ReadAsStringAsync().Result);
            }
        }
Ejemplo n.º 3
0
        public void Security_PersistentCookie(HostType hostType)
        {
            using (ApplicationDeployer deployer = new ApplicationDeployer())
            {
                string applicationUrl = deployer.Deploy(hostType, PersistentCookieConfiguration);
                string homePath       = applicationUrl + "Auth/Home";
                string logoutPath     = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath);

                var handler    = new HttpClientHandler();
                var httpClient = new HttpClient(handler);

                // Unauthenticated request
                var response = httpClient.GetAsync(applicationUrl).Result;
                CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page");

                // Valid credentials
                var validPersistingCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test"), new kvp("rememberme", "on") });
                response = httpClient.PostAsync(response.RequestMessage.RequestUri, validPersistingCredentials).Result;
                response.EnsureSuccessStatusCode();
                Assert.Equal <string>(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);

                //Verify cookie sent
                Assert.True(handler.CookieContainer.Count == 1, "Did not receive one cookie as expected");
                var cookie = handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0];
                Assert.True(cookie != null && cookie.Name == "KATANACOOKIE", "Cookie with name 'KATANACOOKIE' not found");
                Assert.True((cookie.Expires - DateTime.Now).Days > 10, "Did not receive a persistent cookie");

                //Logout the client
                response = httpClient.GetAsync(logoutPath).Result;
                Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout");
                Assert.Equal <string>(homePath, response.RequestMessage.RequestUri.AbsoluteUri);

                //Try accessing protected resource again. It should get redirected to login page
                response = httpClient.GetAsync(applicationUrl).Result;
                CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry");
            }
        }
Ejemplo n.º 4
0
        public void Security_HttpCookieOnlyAndCookiePath(HostType hostType)
        {
            using (ApplicationDeployer deployer = new ApplicationDeployer())
            {
                string applicationUrl       = deployer.Deploy(hostType, HttpCookieOnlyAndCookiePathConfiguration);
                string passiveAuthLoginPage = applicationUrl + "Auth/PassiveAuthLogin";
                string homePath             = applicationUrl + "Auth/Home";
                string logoutPath           = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath);

                var handler    = new HttpClientHandler();
                var httpClient = new HttpClient(handler);

                var response = httpClient.GetAsync(passiveAuthLoginPage).Result;
                CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, passiveAuthLoginPage, "Unauthenticated requests not automatically redirected to login page");
                var validCookieCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test") });
                response = httpClient.PostAsync(response.RequestMessage.RequestUri, validCookieCredentials).Result;

                //Verify cookie sent
                Assert.Equal(2, handler.CookieContainer.Count);
                CookieCollection cookies           = handler.CookieContainer.GetCookies(new Uri(applicationUrl + "Auth"));
                Cookie           applicationCookie = cookies[CookieAuthenticationDefaults.CookiePrefix + "Application"];
                Cookie           temporaryCookie   = cookies["TemporaryCookie"];
                Assert.NotNull(applicationCookie);
                Assert.NotNull(temporaryCookie);

                Assert.True(applicationCookie.HttpOnly);
                Assert.Equal("/", applicationCookie.Path);
                Assert.False(temporaryCookie.HttpOnly);
                Assert.Equal(temporaryCookie.Path, new Uri(applicationUrl).AbsolutePath + "Auth");
                Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);

                //Logout the client
                response = httpClient.GetAsync(logoutPath).Result;
                Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout");
                Assert.Equal(homePath, response.RequestMessage.RequestUri.AbsoluteUri);
            }
        }
Ejemplo n.º 5
0
        public void Security_CookiesAuthDefaults(HostType hostType)
        {
            using (ApplicationDeployer deployer = new ApplicationDeployer())
            {
                string applicationUrl = deployer.Deploy(hostType, CookieAuthDefaultsConfiguration);
                string homePath       = applicationUrl + "Auth/Home";
                string logoutPath     = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath);

                var handler    = new HttpClientHandler();
                var httpClient = new HttpClient(handler);

                // Unauthenticated request
                var response = httpClient.GetAsync(applicationUrl).Result;
                CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page");

                // Invalid credentials test
                for (int retryCount = 0; retryCount < 2; retryCount++)
                {
                    response = httpClient.PostAsync(response.RequestMessage.RequestUri, GetInValidCookieCredentials()).Result;
                    CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Invalid credentials - not automatically redirecting to login page with proper ReturnUrl");
                }

                // Valid credentials
                response = httpClient.PostAsync(response.RequestMessage.RequestUri, GetValidCookieCredentials()).Result;
                Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);

                //Verify cookie sent
                Assert.False(handler.CookieContainer.Count != 1 ||
                             handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Name != "KATANACOOKIE",
                             string.Format("Forms auth cookie with expected name '{0}' not received automatically after successful login", "KATANACOOKIE"));

                //Retry multiple times with valid cookie to test sliding expiration
                for (int retryCount = 0; retryCount < 3; retryCount++)
                {
                    Thread.Sleep(2 * 1000);
                    response = httpClient.GetAsync(applicationUrl).Result;
                    response.EnsureSuccessStatusCode();
                    Assert.Equal("ProtectedResource", response.Content.ReadAsStringAsync().Result);
                    Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);
                }

                //Expire the cookie & verify if request is redirected to login page again
                Thread.Sleep(3 * 1000);
                response = httpClient.GetAsync(applicationUrl).Result;
                response.EnsureSuccessStatusCode();
                CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry");

                //Reauthenticate with valid cookie & verify if protected resource is accessible again
                response = httpClient.PostAsync(response.RequestMessage.RequestUri, GetValidCookieCredentials()).Result;
                Assert.Equal("ProtectedResource", response.Content.ReadAsStringAsync().Result);
                Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);

                //Make one successful call
                response = httpClient.GetAsync(applicationUrl).Result;

                //Now corrupt the cookie to see if this gets redirected to login page
                string backUpCookieValue = handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Value;
                handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Value = "invalid cookie value";
                response = httpClient.GetAsync(applicationUrl).Result;

                CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry");

                //put back the valid cookie & verify protected resource is accessible again
                handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Value = backUpCookieValue;
                response = httpClient.GetAsync(applicationUrl).Result;
                Assert.Equal("ProtectedResource", response.Content.ReadAsStringAsync().Result);
                Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri);

                //Logout the client
                response = httpClient.GetAsync(logoutPath).Result;
                Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout");
                Assert.Equal("Welcome Home", response.Content.ReadAsStringAsync().Result);

                //Try accessing protected resource again. It should get redirected to login page
                response = httpClient.GetAsync(applicationUrl).Result;
                CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry");
            }
        }