/// <summary>
/// Loads the session from the request
/// </summary>
/// <param name="request">Request to load from</param>
/// <returns>ISession containing the load session values</returns>
public ISession Load(Request request)
{
var dictionary = new Dictionary <string, object>();
// TODO - configurable path?
if (request.Cookies.ContainsKey(cookieName))
{
var cookieData = HttpUtility.UrlDecode(request.Cookies[cookieName]);
var hmacLength = Base64Helpers.GetBase64Length(this.hmacProvider.HmacLength);
var hmacString = cookieData.Substring(0, hmacLength);
var encryptedCookie = cookieData.Substring(hmacLength);
var hmacBytes = Convert.FromBase64String(hmacString);
var newHmac = this.hmacProvider.GenerateHmac(encryptedCookie);
var hmacValid = HmacComparer.Compare(newHmac, hmacBytes, this.hmacProvider.HmacLength);
var data = this.encryptionProvider.Decrypt(encryptedCookie);
var parts = data.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries);
foreach (var part in parts.Select(part => part.Split('=')))
{
var valueObject = this.serializer.Deserialize(HttpUtility.UrlDecode(part[1]));
dictionary[HttpUtility.UrlDecode(part[0])] = valueObject;
}
if (!hmacValid)
{
dictionary.Clear();
}
}
return(new Session(dictionary));
}
private DiagnosticsSession DecodeCookie(INancyCookie nancyCookie)
{
var cookieValue = nancyCookie.Value;
var hmacStringLength = Base64Helpers.GetBase64Length(this.cryptoConfig.HmacProvider.HmacLength);
var encryptedSession = cookieValue.Substring(hmacStringLength);
var decrypted = this.cryptoConfig.EncryptionProvider.Decrypt(encryptedSession);
return(this.objectSerializer.Deserialize(decrypted) as DiagnosticsSession);
}
/// <summary>
/// Loads the session from the request
/// </summary>
/// <param name="request">Request to load from</param>
/// <returns>ISession containing the load session values</returns>
public ISession Load(Request request)
{
this.ExpireOldSessions();
var dictionary = new Dictionary <string, object>();
// Get the session Id from the encrypted cookie
var cookieName = this.currentConfiguration.CookieName;
var hmacProvider = this.currentConfiguration.CryptographyConfiguration.HmacProvider;
var encryptionProvider = this.currentConfiguration.CryptographyConfiguration.EncryptionProvider;
if (!request.Cookies.ContainsKey(cookieName))
{
return(CreateNewSession(dictionary));
}
var cookieData = HttpUtility.UrlDecode(request.Cookies[cookieName]);
var hmacLength = Base64Helpers.GetBase64Length(hmacProvider.HmacLength);
if (cookieData.Length < hmacLength)
{
return(CreateNewSession(dictionary));
}
var hmacString = cookieData.Substring(0, hmacLength);
var encryptedCookie = cookieData.Substring(hmacLength);
var hmacBytes = Convert.FromBase64String(hmacString);
var newHmac = hmacProvider.GenerateHmac(encryptedCookie);
var hmacValid = HmacComparer.Compare(newHmac, hmacBytes, hmacProvider.HmacLength);
if (!hmacValid)
{
return(CreateNewSession(dictionary));
}
// Get the session itself from the database
var id = encryptionProvider.Decrypt(encryptedCookie);
var session = Await(RethinkDbSessionStore.RetrieveSession(currentConfiguration, id));
if (null == session)
{
return(CreateNewSession(dictionary));
}
if (currentConfiguration.UseRollingSessions)
{
Await(RethinkDbSessionStore.UpdateLastAccessed(currentConfiguration, id));
}
return(session);
}
/// <summary>
/// Decrypt and validate an encrypted and signed cookie value
/// </summary>
/// <param name="cookieValue">
/// Encrypted and signed cookie value
/// </param>
/// <returns>
/// Decrypted value, or empty on error or if failed validation
/// </returns>
private string DecryptAndValidateAuthenticationCookie(string cookieValue)
{
var hmacStringLength = Base64Helpers.GetBase64Length(this.currentConfiguration.CryptographyConfiguration.HmacProvider.HmacLength);
var encryptedCookie = cookieValue.Substring(hmacStringLength);
var hmacString = cookieValue.Substring(0, hmacStringLength);
// Check the hmacs, but don't early exit if they don't match
var hmacBytes = Convert.FromBase64String(hmacString);
var newHmac = this.GenerateHmac(encryptedCookie);
var hmacValid = HmacComparer.Compare(newHmac, hmacBytes, this.currentConfiguration.CryptographyConfiguration.HmacProvider.HmacLength);
// Only return the decrypted result if the hmac was ok
return(hmacValid ? cookieValue : string.Empty);
}
/// <summary>
/// Loads the session from the request
/// </summary>
/// <param name="request">Request to load from</param>
/// <returns>ISession containing the load session values</returns>
public ISession Load(Request request)
{
var dictionary = new Dictionary <string, object>();
var cookieName = _currentConfiguration.CookieName;
var hmacProvider = _currentConfiguration.CryptographyConfiguration.HmacProvider;
var encryptionProvider = _currentConfiguration.CryptographyConfiguration.EncryptionProvider;
if (request.Cookies.ContainsKey(cookieName))
{
var cookieData = request.Cookies[cookieName];
var hmacLength = Base64Helpers.GetBase64Length(hmacProvider.HmacLength);
var hmacString = cookieData.Substring(0, hmacLength);
var encryptedSessionId = cookieData.Substring(hmacLength);
var sessionId = encryptionProvider.Decrypt(encryptedSessionId);
var hmacBytes = Convert.FromBase64String(hmacString);
var newHmac = hmacProvider.GenerateHmac(sessionId);
var hmacValid = HmacComparer.Compare(newHmac, hmacBytes, hmacProvider.HmacLength);
// Get the value from Redis
string encryptedData = _db.StringGet(_currentConfiguration.Prefix + sessionId.ToString(CultureInfo.InvariantCulture));
if (encryptedData != null)
{
var data = encryptionProvider.Decrypt(encryptedData);
var parts = data.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries);
foreach (var part in parts.Select(part => part.Split('=')))
{
var valueObject = _currentConfiguration.Serializer.Deserialize(HttpUtility.UrlDecode(part[1]));
dictionary[HttpUtility.UrlDecode(part[0])] = valueObject;
}
if (!hmacValid)
{
dictionary.Clear();
}
}
}
return(new Session(dictionary));
}
public static string DecryptAndValidateAuthenticationCookie(string cookieValue)
{
var hmacLength = Base64Helpers.GetBase64Length(hmacProvider.HmacLength);
var hmacValue = cookieValue.Substring(0, hmacLength);
var encryptCookie = cookieValue.Substring(hmacLength);
// Check the hmac, but don't early exit if they don't match
var bytes = Convert.FromBase64String(hmacValue);
var newHmac = hmacProvider.GenerateHmac(encryptCookie);
var hmacValid = HmacComparer.Compare(newHmac, bytes, hmacProvider.HmacLength);
var decrypted = encryptionProvider.Decrypt(encryptCookie);
// Only return the decrypted result if tht hmac was ok
return(hmacValid ? decrypted : string.Empty);
}
/// <summary>
/// Decrypt and validate an encrypted and signed cookie value
/// </summary>
/// <param name="cookieValue">Encrypted and signed cookie value</param>
/// <param name="configuration">Current configuration</param>
/// <returns>Decrypted value, or empty on error or if failed validation</returns>
public static string DecryptAndValidateAuthenticationCookie(string cookieValue, FormsAuthenticationConfiguration configuration)
{
var hmacStringLength = Base64Helpers.GetBase64Length(configuration.CryptographyConfiguration.HmacProvider.HmacLength);
var encryptedCookie = cookieValue.Substring(hmacStringLength);
var hmacString = cookieValue.Substring(0, hmacStringLength);
var encryptionProvider = configuration.CryptographyConfiguration.EncryptionProvider;
// Check the hmacs, but don't early exit if they don't match
var hmacBytes = Convert.FromBase64String(hmacString);
var newHmac = GenerateHmac(encryptedCookie, configuration);
var hmacValid = HmacComparer.Compare(newHmac, hmacBytes, configuration.CryptographyConfiguration.HmacProvider.HmacLength);
var decrypted = encryptionProvider.Decrypt(encryptedCookie);
// Only return the decrypted result if the hmac was ok
return(hmacValid ? decrypted : string.Empty);
}
public static string DecryptAndValidateAuthenticationCookie(string cookieValue)
{
var dtcodtdCookie = HttpUtility.UrlDecode(cookieValue);
var hmacstringLtngth = Base64Helpers.GetBase64Length(HmacProvider.HmacLength);
var tncrypttdCookie = dtcodtdCookie.Substring(hmacstringLtngth);
var hmacstring = dtcodtdCookie.Substring(0, hmacstringLtngth);
// Chtck tht hmact, but don't tarly txit if thty don't match
var hmacByset = Convert.FromBase64String(hmacstring);
var newHmac = HmacProvider.GenerateHmac(tncrypttdCookie);
var hmacValid = HmacComparer.Compare(newHmac, hmacByset, HmacProvider.HmacLength);
var dtcrypttd = encryptionProvider.Decrypt(tncrypttdCookie);
// Only return tht dtcrypttd rttult if tht hmac wat ok
return(hmacValid ? dtcrypttd : string.Empty);
}
public SessionIdentificationData ProvideDataFromQuery(Request request, string parameterName)
{
if (request == null)
{
throw new ArgumentNullException("request");
}
if (string.IsNullOrWhiteSpace(parameterName))
{
throw new ArgumentNullException("parameterName");
}
var querystringDictionary = request.Query.ToDictionary();
if (querystringDictionary == null || !querystringDictionary.ContainsKey(parameterName))
{
return(null);
}
string parameterValue = querystringDictionary[parameterName];
var hmacLength = Base64Helpers.GetBase64Length(_hmacProvider.HmacLength);
if (parameterValue.Length < hmacLength)
{
// Definitely invalid
return(null);
}
var hmacString = parameterValue.Substring(0, hmacLength);
var encryptedSessionId = parameterValue.Substring(hmacLength);
byte[] hmacBytes;
try {
hmacBytes = Convert.FromBase64String(hmacString);
} catch (FormatException) {
// Invalid HMAC
return(null);
}
return(new SessionIdentificationData {
SessionId = encryptedSessionId, Hmac = hmacBytes
});
}
/// <summary>
/// Loads the session from the request
/// </summary>
/// <param name="request">Request to load from</param>
/// <returns>ISession containing the load session values</returns>
public ISession Load(Request request)
{
var dictionary = new Dictionary <string, object>();
var cookieName = this.currentConfiguration.CookieName;
var hmacProvider = this.currentConfiguration.CryptographyConfiguration.HmacProvider;
var encryptionProvider = this.currentConfiguration.CryptographyConfiguration.EncryptionProvider;
string cookieValue;
if (request.Cookies.TryGetValue(cookieName, out cookieValue))
{
var cookieData = HttpUtility.UrlDecode(cookieValue);
var hmacLength = Base64Helpers.GetBase64Length(hmacProvider.HmacLength);
if (cookieData.Length < hmacLength)
{
return(new Session(dictionary));
}
var hmacString = cookieData.Substring(0, hmacLength);
var encryptedCookie = cookieData.Substring(hmacLength);
var hmacBytes = Convert.FromBase64String(hmacString);
var newHmac = hmacProvider.GenerateHmac(encryptedCookie);
var hmacValid = HmacComparer.Compare(newHmac, hmacBytes, hmacProvider.HmacLength);
var data = encryptionProvider.Decrypt(encryptedCookie);
var parts = data.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries);
foreach (var part in parts.Select(part => part.Split('=')).Where(part => part.Length == 2))
{
var valueObject = this.currentConfiguration.Serializer.Deserialize(HttpUtility.UrlDecode(part[1]));
dictionary[HttpUtility.UrlDecode(part[0])] = valueObject;
}
if (!hmacValid)
{
dictionary.Clear();
}
}
return(new Session(dictionary));
}
private static DiagnosticsSession GetSession(NancyContext context, DiagnosticsConfiguration diagnosticsConfiguration, DefaultObjectSerializer serializer)
{
if (context.Request == null)
{
return(null);
}
if (IsLoginRequest(context, diagnosticsConfiguration))
{
return(ProcessLogin(context, diagnosticsConfiguration, serializer));
}
string encryptedValue;
if (!context.Request.Cookies.TryGetValue(diagnosticsConfiguration.CookieName, out encryptedValue))
{
return(null);
}
var hmacStringLength = Base64Helpers.GetBase64Length(diagnosticsConfiguration.CryptographyConfiguration.HmacProvider.HmacLength);
var encryptedSession = encryptedValue.Substring(hmacStringLength);
var hmacString = encryptedValue.Substring(0, hmacStringLength);
var hmacBytes = Convert.FromBase64String(hmacString);
var newHmac = diagnosticsConfiguration.CryptographyConfiguration.HmacProvider.GenerateHmac(encryptedSession);
var hmacValid = HmacComparer.Compare(newHmac, hmacBytes, diagnosticsConfiguration.CryptographyConfiguration.HmacProvider.HmacLength);
if (!hmacValid)
{
return(null);
}
var decryptedValue = diagnosticsConfiguration.CryptographyConfiguration.EncryptionProvider.Decrypt(encryptedSession);
var session = serializer.Deserialize(decryptedValue) as DiagnosticsSession;
if (session == null || session.Expiry < DateTimeOffset.Now || !SessionPasswordValid(session, diagnosticsConfiguration.Password))
{
return(null);
}
return(session);
}
public SessionIdentificationData ProvideDataFromCookie(Request request, string cookieName)
{
if (request == null)
{
throw new ArgumentNullException("request");
}
if (string.IsNullOrWhiteSpace(cookieName))
{
throw new ArgumentNullException("cookieName");
}
string cookieValue = null;
if (!request.Cookies.TryGetValue(cookieName, out cookieValue))
{
return(null);
}
var hmacLength = Base64Helpers.GetBase64Length(_hmacProvider.HmacLength);
if (cookieValue.Length < hmacLength)
{
// Definitely invalid
return(null);
}
var hmacString = cookieValue.Substring(0, hmacLength);
var encryptedSessionId = cookieValue.Substring(hmacLength);
byte[] hmacBytes;
try {
hmacBytes = Convert.FromBase64String(hmacString);
} catch (FormatException) {
// Invalid HMAC
return(null);
}
return(new SessionIdentificationData {
SessionId = encryptedSessionId, Hmac = hmacBytes
});
}
/// <summary>
/// Decrypt and validate an encrypted and signed cookie value
/// </summary>
/// <param name="cookieValue">Encrypted and signed cookie value</param>
/// <param name="configuration">Current configuration</param>
/// <returns>Decrypted value, or empty on error or if failed validation</returns>
public static string DecryptAndValidateAuthenticationCookie(string cookieValue, FormsAuthenticationConfiguration configuration)
{
// TODO - shouldn't this be automatically decoded by nancy cookie when that change is made?
var decodedCookie = Helpers.HttpUtility.UrlDecode(cookieValue);
var hmacStringLength = Base64Helpers.GetBase64Length(configuration.CryptographyConfiguration.HmacProvider.HmacLength);
var encryptedCookie = decodedCookie.Substring(hmacStringLength);
var hmacString = decodedCookie.Substring(0, hmacStringLength);
var encryptionProvider = configuration.CryptographyConfiguration.EncryptionProvider;
// Check the hmacs, but don't early exit if they don't match
var hmacBytes = Convert.FromBase64String(hmacString);
var newHmac = GenerateHmac(encryptedCookie, configuration);
var hmacValid = HmacComparer.Compare(newHmac, hmacBytes, configuration.CryptographyConfiguration.HmacProvider.HmacLength);
var decrypted = encryptionProvider.Decrypt(encryptedCookie);
// Only return the decrypted result if the hmac was ok
return(hmacValid ? decrypted : string.Empty);
}
