//----------------------------------------------------------------------------------------------------------------------------------------------- /// <summary> /// Checks whether or not the Key in the CID parameter for this page is valid (this computer based on the AnonID) and the time stamp is current /// If the key should be extracted from the Page URL parameters, just set the encryptedKey to null... /// </summary> protected bool KeyIsValid(StringBuilder encryptedKey) { bool keyIsValid = false; try { // 11-May-2016 - the MGLEncryption.Decrypt method throws a serious level 9 error if no key is provided. // It is better to catch this here and simply return false as this is just due to people not using the tool correctly (or trying to cut corners) if (encryptedKey != null && encryptedKey.Length > 0) { //-----a----- Decrypt the key ... encryptedKey = MGLEncryption.DeHTMLifyString(encryptedKey); StringBuilder decryptedKey = MGLEncryption.Decrypt(encryptedKey); //-----b----- Pull out the anon ID StringBuilder anonID = new StringBuilder(decryptedKey.ToString().Substring(1, 36)); StringBuilder dtStr = new StringBuilder(decryptedKey.ToString().Substring(38, 19)); //-----c----- now check that the dt is within tolerances DateTime dt; DateTime.TryParse(dtStr.ToString(), out dt); TimeSpan ts = DateTime.Now.Subtract(dt); //-----d----- get the anonvalue cookie again ... string tempValue = DefaultAnonID; if (Request.Cookies["AnonID"] != null) { tempValue = Request.Cookies["AnonID"].Value; } //-----e----- So then finally, do the validation on two fronts // a. that the elapsed time span is more than 0 and less than 10 seconds and // b. that the anonID is correct keyIsValid = (ts.TotalSeconds >= 0 && ts.TotalSeconds < 10) && MGLEncryption.AreEqual(anonID, new StringBuilder(tempValue)); } } catch (Exception ex) { Logger.LogError(8, "Problem checking if the authorisation key in the login page is valid. This is serious! The specific error was: " + ex.ToString()); } return(keyIsValid); }
//----------------------------------------------------------------------------------------------------------------------------------------------------------- /// <summary> /// Get Widget /// </summary> public static PasswordResetWidget GetWidget(StringBuilder guid) { PasswordResetWidget paw = null; if (guid != null && guid.Length > 0) { foreach (PasswordResetWidget tempPAW in Widgets) { // 17-Jul-15 - the MGLPasswordHash is overkill here, lets just use one level of encryption... //if (MGLPasswordHash.Compare( tempPAW.Guid, hashedGUID ) == true) { if (MGLEncryption.AreEqual(guid, tempPAW.Token) == true) { paw = tempPAW; break; } } } // random sleep to confuse on the checking if anyone is monitoring the timings!! Thread.Sleep(new Random().Next(0, 100)); return(paw); }