Example #1
0
        /// <summary>
        /// authenticate the user against the enterprise active directory and list the servers available to the user
        /// </summary>
        private void CreateEnterpriseSessionFromLogin()
        {
            try
            {
                // authenticate the user against the enterprise active directory
                _enterpriseSession = _enterpriseClient.Authenticate(user.Value, password.Value);

                if (_enterpriseSession.AuthenticationErrorCode != EnterpriseAuthenticationErrorCode.NONE)
                {
                    if (_enterpriseSession.AuthenticationErrorCode == EnterpriseAuthenticationErrorCode.PASSWORD_EXPIRED)
                    {
                        ClientScript.RegisterClientScriptBlock(GetType(), Guid.NewGuid().ToString(), string.Format("openPopup('changePasswordPopup', 'EnterpriseChangePassword.aspx?userName={0}');", user.Value), true);
                    }
                    else
                    {
                        connectError.InnerText = EnterpriseAuthenticationErrorHelper.GetErrorDescription(_enterpriseSession.AuthenticationErrorCode);
                    }
                    UpdateControls();
                    return;
                }

                // bind the enterprise session to the current http session
                Session[HttpSessionStateVariables.EnterpriseSession.ToString()] = _enterpriseSession;

                // session fixation protection
                if (_cookielessSession)
                {
                    // generate a new http session id
                    HttpSessionHelper.RegenerateSessionId();
                }

                // redirect to the hosts list
                Response.Redirect("~/", true);
            }
            catch (ThreadAbortException)
            {
                // occurs because the response is ended after redirect
            }
            catch (Exception exc)
            {
                System.Diagnostics.Trace.TraceError("Failed to create enterprise session from login ({0})", exc);
            }
        }
Example #2
0
        /// <summary>
        /// authenticate the user against the enterprise active directory and list the servers available to the user
        /// </summary>
        private void CreateEnterpriseSessionFromLogin()
        {
            try
            {
                // authenticate the user against the enterprise active directory
                _enterpriseSession = _enterpriseClient.Authenticate(user.Value, password.Value);
                if (_enterpriseSession.AuthenticationErrorCode != EnterpriseAuthenticationErrorCode.NONE)
                {
                    if (_enterpriseSession.AuthenticationErrorCode == EnterpriseAuthenticationErrorCode.PASSWORD_EXPIRED)
                    {
                        Page.ClientScript.RegisterClientScriptBlock(this.GetType(), Guid.NewGuid().ToString(), string.Format("openPopup('changePasswordPopup', 'EnterpriseChangePassword.aspx?userId={0}');", user.Value), true);
                    }
                    else
                    {
                        connectError.InnerText = EnterpriseAuthenticationErrorHelper
                                                 .GetErrorDescription(_enterpriseSession.AuthenticationErrorCode);
                    }
                    UpdateControls();
                    return;
                }

                // bind the enterprise session to the current http session
                HttpContext.Current.Session[HttpSessionStateVariables.EnterpriseSession.ToString()] = _enterpriseSession;

                // cancel the current http session
                HttpContext.Current.Session.Abandon();

                // prevent session fixation attack by generating a new session ID upon login
                // also, using http get method to prevent the browser asking for http post data confirmation if the page is reloaded
                // https://www.owasp.org/index.php/Session_Fixation
                Response.Redirect(string.Format("?oldSID={0}", HttpContext.Current.Session.SessionID), true);
            }
            catch (ThreadAbortException)
            {
                // occurs because the response is ended after redirect
            }
            catch (Exception exc)
            {
                System.Diagnostics.Trace.TraceError("Failed to create enterprise session from login ({0})", exc);
            }
        }