Ejemplo n.º 1
0
        public AntiForgeryToken GetCookieToken(HttpRequestMessage httpContext)
        {
            CookieHeaderValue cookie      = httpContext.Headers.GetCookies(m_config.CookieName).FirstOrDefault();
            string            cookieValue = cookie?[m_config.CookieName].Value;

            if (string.IsNullOrEmpty(cookieValue))
            {
                return(null);
            }

            return(AntiForgeryTokenSerializer.Deserialize(cookieValue));
        }
Ejemplo n.º 2
0
        public AntiForgeryToken GetFormToken(HttpRequestMessage request)
        {
            PostData postData = request.GetPostData();

            string formValue = postData.FormData[m_config.FormFieldName];

            if (string.IsNullOrEmpty(formValue))
            {
                request.QueryParameters().TryGetValue(m_config.FormFieldName, out formValue);
            }

            if (string.IsNullOrEmpty(formValue))
            {
                return(null);
            }

            return(AntiForgeryTokenSerializer.Deserialize(formValue));
        }
Ejemplo n.º 3
0
        public void SaveCookieToken(HttpResponseMessage response, AntiForgeryToken token)
        {
            string serializedToken = AntiForgeryTokenSerializer.Serialize(token);

            CookieHeaderValue newCookie = new CookieHeaderValue(m_config.CookieName, serializedToken)
            {
                HttpOnly = true
            };

            // Note: don't use "newCookie.Secure = _config.RequireSSL;" since the default
            // value of newCookie.Secure is automatically populated from the <httpCookies>
            // config element.
            if (m_config.RequireSSL)
            {
                newCookie.Secure = true;
            }

            response.Headers.AddCookies(new[] { newCookie });
        }
Ejemplo n.º 4
0
        // [ ENTRY POINT ]
        // Generates an anti-XSRF token pair for the current user. The return
        // value is the hidden input form element that should be rendered in
        // the <form>. This method has a side effect: it may set a response
        // cookie.
        public TagBuilder GetFormInputElement(HttpResponseMessage response)
        {
            CheckSSLConfig(response.RequestMessage);

            AntiForgeryToken oldCookieToken = GetCookieTokenNoThrow(response.RequestMessage);
            AntiForgeryToken newCookieToken, formToken;

            GetTokens(response.RequestMessage, oldCookieToken, out newCookieToken, out formToken);

            // If a new cookie was generated, persist it.
            if (newCookieToken != null)
            {
                m_tokenStore.SaveCookieToken(response, newCookieToken);
            }

            if (!m_config.SuppressXFrameOptionsHeader)
            {
                // Adding X-Frame-Options header to prevent ClickJacking. See
                // http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-10
                // for more information.
                const string FrameHeaderName = "X-Frame-Options";

                if (!response.Headers.Contains(FrameHeaderName))
                {
                    response.Headers.Add(FrameHeaderName, "SAMEORIGIN");
                }
            }

            // <input type="hidden" name="__AntiForgeryToken" value="..." />
            TagBuilder retVal = new TagBuilder("input");

            retVal.Attributes["type"]  = "hidden";
            retVal.Attributes["name"]  = m_config.FormFieldName;
            retVal.Attributes["value"] = AntiForgeryTokenSerializer.Serialize(formToken);

            return(retVal);
        }
Ejemplo n.º 5
0
 private AntiForgeryToken DeserializeToken(string serializedToken)
 {
     return(!string.IsNullOrEmpty(serializedToken) ? AntiForgeryTokenSerializer.Deserialize(serializedToken) : null);
 }
Ejemplo n.º 6
0
 private string Serialize(AntiForgeryToken token)
 {
     return(token != null?AntiForgeryTokenSerializer.Serialize(token) : null);
 }