/// <inheritdoc cref="Owasp.Esapi.Interfaces.IHttpUtilities.ChangeSessionIdentifier()" />
public void ChangeSessionIdentifier()
{
SessionIDManager manager = new SessionIDManager();
string newSessionId = manager.CreateSessionID(HttpContext.Current);
bool redirected = false;
bool IsAdded = false;
manager.SaveSessionID(HttpContext.Current, newSessionId, out redirected, out IsAdded);
}
protected void Session_Start(Object sender, EventArgs e)
{
SessionIDManager manager = new SessionIDManager();
string newSessionId = manager.CreateSessionID(HttpContext.Current);
var ckSession = new HttpCookie("omg-session");
ckSession.Value = newSessionId;
HttpContext.Current.Response.Cookies.Add(ckSession);
}
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
base.OnActionExecuting(filterContext);
if(filterContext.HttpContext.Session["SessionID"] == null)
{
SessionIDManager mgr = new SessionIDManager();
string sessionID = mgr.CreateSessionID(HttpContext.Current);
filterContext.HttpContext.Session.Timeout = 30;
filterContext.HttpContext.Session["SessionID"] = sessionID;
}
}
protected void Page_Load(object sender, EventArgs e)
{
IHttpUtilities httpUtilities = Esapi.HttpUtilities;
httpUtilities.ChangeSessionIdentifier();
SessionIDManager manager = new SessionIDManager();
String orig = manager.GetSessionID(HttpContext.Current);
if (String.IsNullOrEmpty(orig))
{
string newSessionId = manager.CreateSessionID(HttpContext.Current);
Session["cookie"] = newSessionId;
}
}
protected string _AbandonSession()
{
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
SessionIDManager sessionManager = new SessionIDManager();
string sID = sessionManager.CreateSessionID(System.Web.HttpContext.Current);
bool redirected = false;
bool cookieAdded = false;
sessionManager.SaveSessionID(System.Web.HttpContext.Current, sID, out redirected, out cookieAdded);
return sID;
}
private void RegenerateSessionId()
{
var Context = System.Web.HttpContext.Current;
System.Web.SessionState.SessionIDManager manager = new System.Web.SessionState.SessionIDManager();
string oldId = manager.GetSessionID(Context);
string newId = manager.CreateSessionID(Context);
bool isAdd = false, isRedir = false;
manager.SaveSessionID(Context, newId, out isRedir, out isAdd);
HttpApplication ctx = Context.ApplicationInstance;
HttpModuleCollection mods = ctx.Modules;
System.Web.SessionState.SessionStateModule ssm = (SessionStateModule)mods.Get("Session");
System.Reflection.FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
SessionStateStoreProviderBase store = null;
System.Reflection.FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
foreach (System.Reflection.FieldInfo field in fields)
{
if (field.Name.Equals("_store"))
{
store = (SessionStateStoreProviderBase)field.GetValue(ssm);
}
if (field.Name.Equals("_rqId"))
{
rqIdField = field;
}
if (field.Name.Equals("_rqLockId"))
{
rqLockIdField = field;
}
if (field.Name.Equals("_rqSessionStateNotFound"))
{
rqStateNotFoundField = field;
}
}
object lockId = rqLockIdField.GetValue(ssm);
if ((lockId != null) && (oldId != null))
{
store.ReleaseItemExclusive(Context, oldId, lockId);
}
rqStateNotFoundField.SetValue(ssm, true);
rqIdField.SetValue(ssm, newId);
}
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
System.Web.SessionState.SessionIDManager Manager = new System.Web.SessionState.SessionIDManager();
string NewID = Manager.CreateSessionID(Context);
bool redirected = false;
bool IsAdded = false;
Manager.SaveSessionID(Context, NewID, out redirected, out IsAdded);
this.UsuarioL.Focus();
Session.Abandon();
UsuarioL.Attributes.Add("onkeypress", "return clickButton(event,'" + BtnLogin.ClientID + "')");
ContrasenaL.Attributes.Add("onkeypress", "return clickButton(event,'" + BtnLogin.ClientID + "')");
}
}
protected void Page_Load(object sender, EventArgs e)
{
try
{
if (Session["Username"] == null && Session.IsNewSession == false)
{
Response.Redirect("Logout.aspx", false);
return;
}
if (globle.UserValue != null && Session.IsNewSession == true)
{
Session["Username"] = globle.UserValue;
Session["Role"] = globle.Role;
Session["Location"] = "";
Session["PF_Index"] = globle.PF_Index;
Session["LoggedIn"] = "Yes";
}
else if (globle.UserValue == null)
{
Response.Redirect("Logout.aspx", false);
return;
}
else
{
HttpContext.Current.Session.Abandon();
HttpContext.Current.Session.Clear();
Session["Username"] = null;
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
Response.Cookies.Add(new HttpCookie("__AntiXsrfToken", ""));
Request.Cookies.Clear();
HttpContext.Current.Response.AddHeader("Cache-Control", "no-cache, no-store, must-revalidate");
HttpContext.Current.Response.AddHeader("Pragma", "no-cache");
HttpContext.Current.Response.AddHeader("Expires", "0");
Session.Abandon(); // Session Expire but cookie do exist
// Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddDays(-30); //Delete the cookie
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddDays(-1);
HttpContext.Current.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
Request.Cookies["Asp.net_sessionId"].Expires = DateTime.UtcNow.AddDays(-1d);
Response.Cookies["Asp.net_sessionId"].Value = "";
Response.Cookies["Username"].Value = "";
Response.Cookies.Add(Request.Cookies["Username"]);
Session.RemoveAll();
Session.Abandon();
Session["Username"] = null;
Session.Clear();
ClearCache();
string USER = globle.UserValue;
FormsAuthentication.SignOut();
Context.ApplicationInstance.CompleteRequest();
bool redirected = false;
bool isAdded = false;
System.Web.SessionState.SessionIDManager Manager = new System.Web.SessionState.SessionIDManager();
string NewID = Manager.CreateSessionID(Context);
string OldID = Context.Session.SessionID;
Manager.SaveSessionID(Context, NewID, out redirected, out isAdded);
}
}
catch (Exception)
{
// string USER = globle.UserValue;
// Dictionary<string, string> dic = ((Dictionary<string, string>)Application["Sessions"]);
// ((Dictionary<string, string>)Application["Sessions"]).Remove(USER);
}
}
/// <summary>
/// Try to retrive the existing session data from Redis
/// If the data is not found, it will create a new session with a new sessionId
/// </summary>
private void InitSession()
{
// If sessionProvider is not null that means we already initialized the session and got the dataStore
if (_sessionProvider == null)
{
_sessionProvider = new RedisASPSessionStateProvider();
}
_storeData = null;
// Get write lock and session from cache
bool locked;
TimeSpan lockAge;
object lockId;
SessionStateActions actions;
if (!string.IsNullOrWhiteSpace(_sessionId))
{
// Try Retrieve the existing session
_storeData = _sessionProvider.GetItem(null, _sessionId, out locked, out lockAge, out lockId,
out actions);
}
// If we cannot find an existing session we will create a new one
if (_storeData == null)
{
// Generate a new session id
SessionIDManager Manager = new SessionIDManager();
_sessionId = Manager.CreateSessionID(_context);
// Create a new Session in Redis
_sessionTimeout = (int)RedisSessionStateProvider.configuration.SessionTimeout.TotalMinutes;
_sessionProvider.CreateUninitializedItem(null, _sessionId, _sessionTimeout);
// Get the store Data from the new session created
_storeData = _sessionProvider.GetItem(null, _sessionId, out locked, out lockAge, out lockId,
out actions);
// If for some reason it failed to get the store data we raise an exception
if (_storeData == null)
{
throw new InvalidOperationException("Store Data cannot be created");
}
}
}
//tymczasowo nieużywana
private string NewSessionId()
{
SessionIDManager manager = new SessionIDManager();
string newID = manager.CreateSessionID(HttpContext.Current);
bool redirected = false;
bool isAdded = false;
manager.SaveSessionID(HttpContext.Current, newID, out redirected, out isAdded);
return newID;
}
/// <summary>
/// sigh - this fixes a f****d up issue, where previewing pages containing code writing to Session,
/// will breake all subsequent page previews regardless of content. Should you obtain the wisdom as
/// to what exactly is the trick here, I'd love to now. I will leave it as "well, this fix the issue
/// and pass testing. Hurray for Harry Potter and magic!". Oh how I loathe doing that :(
/// </summary>
/// <param name="ctx">the Http context that will be shared between master and child process</param>
private static void AllowChildRequestSessionAccess(HttpContext ctx)
{
SessionIDManager manager = new SessionIDManager();
string oldId = manager.GetSessionID(ctx);
string newId = manager.CreateSessionID(ctx);
bool isAdd = false, isRedir = false;
manager.SaveSessionID(ctx, newId, out isRedir, out isAdd);
HttpApplication ctx2 = (HttpApplication)HttpContext.Current.ApplicationInstance;
HttpModuleCollection mods = ctx2.Modules;
SessionStateModule ssm = (SessionStateModule)mods.Get("Session");
System.Reflection.FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
SessionStateStoreProviderBase store = null;
System.Reflection.FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
foreach (System.Reflection.FieldInfo field in fields)
{
if (field.Name.Equals("_store")) store = (SessionStateStoreProviderBase)field.GetValue(ssm);
if (field.Name.Equals("_rqId")) rqIdField = field;
if (field.Name.Equals("_rqLockId")) rqLockIdField = field;
if (field.Name.Equals("_rqSessionStateNotFound")) rqStateNotFoundField = field;
}
object lockId = rqLockIdField.GetValue(ssm);
if ((lockId != null) && (oldId != null)) store.ReleaseItemExclusive(ctx, oldId, lockId);
rqStateNotFoundField.SetValue(ssm, true);
rqIdField.SetValue(ssm, newId);
}
public void LoginUser(string user, string token)
{
if (!AuthenticateUser(user, token))
{
String result = "{result: 'error', errormsg: 'Login Failed!'}";
SendResponse(result);
}
else
{
if(user.ToLower().Equals("guest"))
{
user = "******";
}
User session_user = UserBLL.GetUserByEmail(user);
SessionIDManager Manager = new System.Web.SessionState.SessionIDManager();
string session_id = Manager.CreateSessionID(Context);
GreyhoundSession session = new GreyhoundSession(session_id, session_user);
// TODO: Implement session keys:
// 1) generate a session key and ad it to the session keys table with an expiration date and associated to the user id
// 2) return the key to the mobile application
// 3) in each method call check the session key validity for the user id:
// i) if the key is invalid ignore the request
// ii) if the key is valid respond to the method call
// iii) if the key is valid but has expired generate a new key, return the key to the mobile app and respond to the method call
String result = "{result: 'success', " +
"sessionid: '" + session.Session_Id + "'," +
"user_id: '" + session_user.User_Id + "'," +
"role_id: '" + session_user.Role_Id + "'," +
"name: '" + session_user.Name + "'," +
"address: '" + session_user.Address + "'," +
"mobile: '" + session_user.Mobile + "'," +
"paypal_id: '" + session_user.Paypal_Id + "'," +
"betfair_id: '" + session_user.Betfair_Id + "'," +
"expire: '" + session.Validity + "'}";
SendResponse(result);
}
}
