/// <summary> Invalidate the old session after copying all of its contents to a newly created session with a new session id.
        /// Note that this is different from logging out and creating a new session identifier that does not contain the
        /// existing session contents. Care should be taken to use this only when the existing session does not contain
        /// hazardous contents.
        ///
        /// </summary>
        /// <returns> The invaldiated session.
        /// </returns>
        /// <seealso cref="Owasp.Esapi.Interfaces.IHttpUtilities.ChangeSessionIdentifier()">
        /// </seealso>
        public IHttpSession ChangeSessionIdentifier()
        {
            IHttpRequest  request  = ((Authenticator)Esapi.Authenticator()).CurrentRequest;
            IHttpResponse response = ((Authenticator)Esapi.Authenticator()).CurrentResponse;
            IHttpSession  session  = ((Authenticator)Esapi.Authenticator()).CurrentSession;
            IDictionary   temp     = new Hashtable();


            // make a copy of the session content
            IEnumerator e = session.GetEnumerator();

            while (e != null && e.MoveNext())
            {
                string name = (string)e.Current;
                object val  = session[name];
                temp[name] = val;
            }

            // invalidate the old session and create a new one

            // This hack comes from here: http://support.microsoft.com/?kbid=899918
            session.Abandon();
            response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

            // copy back the session content
            IEnumerator i = new ArrayList(temp).GetEnumerator();

            while (i.MoveNext())
            {
                DictionaryEntry entry = (DictionaryEntry)i.Current;
                session.Add((string)entry.Key, entry.Value);
            }
            return(session);
        }
Example #2
0
        /// <summary>
        /// Authenticates the user with a given password.
        /// </summary>
        /// <param name="password">The password to use for authentication.</param>
        /// <seealso cref="Owasp.Esapi.Interfaces.IUser.LoginWithPassword(string)">
        /// </seealso>
        public void LoginWithPassword(string password)
        {
            if (password == null || password.Equals(""))
            {
                SetLastFailedLoginTime(DateTime.Now);
                throw new AuthenticationLoginException("Login failed", "Missing password: "******"Login failed", "Disabled user attempt to login: "******"Login failed", "Locked user attempt to login: "******"Login failed", "Expired user attempt to login: "******"User logged in: " + accountName);
                }
                else
                {
                    throw new AuthenticationLoginException("Login failed", "Login attempt as " + AccountName + " failed");
                }
            }
            catch (EncryptionException ee)
            {
                throw new AuthenticationException("Internal error", "Error verifying password for " + accountName, ee);
            }
        }
Example #3
0
        private Cart GetCartFromSession(IHttpSession session)
        {
            if (!session.Contains("shoppingCart"))
            {
                session.Add("shoppingCart", new Cart());
            }

            return(session.Get <Cart>("shoppingCart"));
        }
Example #4
0
        public IHttpResponse Greeting(IHttpRequest request)
        {
            IHttpSession session = request.Session;
            Dictionary <string, string> formData = request.FormData;

            if (session.Get("firstName") == null)
            {
                session.Add("firstName", formData["firstName"]);
            }
            else if (session.Get("lastName") == null)
            {
                session.Add("lastName", formData["lastName"]);
            }
            else if (session.Get("age") == null)
            {
                session.Add("age", formData["age"]);
            }
            return(new RedirectResponse("/greeting"));
        }
Example #5
0
        public static ShoppingCart GetShoppingCart(this IHttpSession session)
        {
            ShoppingCart shoppingCart = session.Get <ShoppingCart>(CurrentShoppingCartSessionKey);

            if (shoppingCart == null)
            {
                shoppingCart = new ShoppingCart();
                session.Add(CurrentShoppingCartSessionKey, shoppingCart);
            }

            return(shoppingCart);
        }
Example #6
0
        //GET /testsession
        public IHttpResponse SessionTest(IHttpRequest req)
        {
            IHttpSession session = req.Session;

            const string sessionDateKey = "saved_date";

            if (session.Get(sessionDateKey) == null)
            {
                session.Add(sessionDateKey, DateTime.UtcNow);
            }

            return(new ViewResponse(HttpStatusCode.Ok, new SessionTestView((DateTime)session.Get(sessionDateKey))));
        }
Example #7
0
        public IHttpResponse SessionTest(IHttpRequest request)
        {
            IHttpSession session = request.Session;

            if (session.GetParameter("Logged_in") == null)
            {
                session.Add("Logged_in", DateTime.UtcNow);
            }

            DateTime loggedInTime = (DateTime)session.GetParameter("Logged_in");

            var response = new ViewResponse(HttpStatusCode.OK, new SessionTestView(loggedInTime));

            return(response);
        }
Example #8
0
        public IHttpResponse Login(IHttpSession session, Dictionary <string, string> formData)
        {
            string email    = formData["email"];
            string password = formData["password"];

            LoginViewModel user = this.userService.GetByMailAndPass(email, password);

            if (user != null)
            {
                session.Add(SessionStore.CurrentUserKey, user);


                return(new RedirectResponse("/"));
            }

            return(this.FileViewResponse("Account/login"));
        }
        internal IHttpResponse Login(IHttpSession session, Dictionary <string, string> formData)
        {
            string usernameOrEmail = formData["username"];
            string password        = formData["password"];

            string username = this.userService.GetByMailOrPass(usernameOrEmail, password);

            if (username == null)
            {
                this.InsertErrorMessage(AppConstants.LogInError);

                this.SetGuestView();

                return(this.FileViewResponse("/Users/login"));
            }

            session.Add(SessionStore.CurrentUserKey, username);

            return(new RedirectResponse("/"));
        }
        internal IHttpResponse Register(IHttpSession session, Dictionary <string, string> formData)
        {
            string username          = formData["username"];
            string password          = formData["password"];
            string confirmedPassword = formData["confirmed-password"];
            string email             = formData["email"];

            RegisterViewModel model = new RegisterViewModel()
            {
                Username          = username,
                Password          = password,
                ConfirmedPassword = confirmedPassword,
                Email             = email
            };

            if (!Validation.TryValidate(model))
            {
                this.InsertErrorMessage(AppConstants.InputUserDataError);

                this.SetGuestView();

                return(this.FileViewResponse("/Users/register"));
            }

            bool success = this.userService.CreateUser(model);

            if (!success)
            {
                this.InsertErrorMessage(AppConstants.UsernameOrEmailAlreadyExist);

                this.SetGuestView();

                return(this.FileViewResponse("/Users/register"));
            }

            session.Add(SessionStore.CurrentUserKey, model.Username);

            return(new RedirectResponse("/"));
        }
Example #11
0
        public IHttpResponse Login(IHttpSession session, LoginUserViewModel model)
        {
            string error = this.ValidateModel(model);

            if (error != null)
            {
                return(this.ErrorMessageResponse(error, FilePaths.UserLogin));
            }

            string email    = model.Email;
            string password = model.Password;

            if (!this.UserService.Login(email, password))
            {
                // Check for not existing user.
                return(this.ErrorMessageResponse(ErrorMessages.UserNotExist, FilePaths.UserLogin));
            }

            session.Add(SessionKeys.CurrentUser, email);
            this.ShowUserNavBar(email);

            return(new RedirectResponse(UrlPaths.Home));
        }