//It validates the token, where all the parameters passed as a RouteValueDictionary public static bool ValidateToken(RouteValueDictionary requestUrlParts, ISecurityTokenSetting securityTokenSetting, string password) { //get the parameters string controllerName; try { controllerName = Convert.ToString(requestUrlParts["controller"]); } catch { controllerName = ""; } string actionName = Convert.ToString(requestUrlParts["action"]); string token = Convert.ToString(requestUrlParts[UrlTokenRoutKey]); return(ValidateToken(token, controllerName, actionName, requestUrlParts, securityTokenSetting, password)); }
//This validates the token public static bool ValidateToken(string token, string controllerName, string actionName, RouteValueDictionary argumentParams, ISecurityTokenSetting securityTokenSetting, string password) { //compute the token for the currrent parameter string computedToken = GenerateToken(controllerName, actionName, argumentParams, securityTokenSetting, password); return(computedToken == token); }
public static string GenerateToken(string controllerName, string actionName, RouteValueDictionary argumentParams, ISecurityTokenSetting securityTokenSetting, string password) { if (!securityTokenSetting.IsEnabled) { return(""); } ////The URL hash is dynamic by assign a dynamic key in each session. So ////eventhough your URL is stolen, it will not work in other session //if (HttpContext.Current.Session["url_dynamickey"] == null) // HttpContext.Current.Session["url_dynamickey"] = RandomString(); string token = ""; //The salt include the dynamic session key and valid for an hour. // string salt = HttpContext.Current.Session["url_dynamickey"].ToString() + DateTime.Now.ToShortDateString() + " " + DateTime.Now.Hour; ; string salt = securityTokenSetting.ActionUniqueIdentifier; //generating the partial url StringBuilder stringToTokenBuilde = new StringBuilder(30); stringToTokenBuilde.Append(controllerName); stringToTokenBuilde.Append('/'); stringToTokenBuilde.Append(actionName); foreach (KeyValuePair <string, object> item in argumentParams) { if (!KnownRouteNames.Contains(item.Key.ToLower())) { if (item.Value != null) { if (securityTokenSetting.ExcludeNames == null || !securityTokenSetting.ExcludeNames.Contains(item.Key.ToLower())) { stringToTokenBuilde.Append('/'); stringToTokenBuilde.Append(item.Value); } } } } var stringToToken = stringToTokenBuilde.ToString().ToLower(); //Converting the salt in to a byte array byte[] saltValueBytes = System.Text.Encoding.ASCII.GetBytes(salt); //Encrypt the salt bytes with the password Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(password, saltValueBytes); //get the key bytes from the above process byte[] secretKey = key.GetBytes(16); //generate the hash HMACMD5 tokenHash = new HMACMD5(secretKey); var BytesToToken = System.Text.Encoding.ASCII.GetBytes(stringToToken); tokenHash.ComputeHash(BytesToToken); //convert the hash to a base64string //token = Convert.ToBase64String(tokenHash.Hash).Replace("/", "_"); token = HttpServerUtility.UrlTokenEncode(tokenHash.Hash.Skip(5).Take(8).ToArray()); return(token); }