public static void AddSessionFixationProtectionCookie(HeContext heContext) { if (UseSessionFixationProtection()) { if (!heContext.IsReadOnlySessionRequest) { if (StringUtils.EqualsIgnoreCase(heContext.Session.TerminalType, "WEB")) { string randomPart = String.Empty + GetRandomLongNumber() + GetRandomLongNumber(); HttpCookie protectionValueCookie = GetCookieByName(heContext.Context.Request.Cookies, heContext.AppInfo.SessionFixationProtectionCookieName); heContext.Session.SessionFixationProtectionOld = protectionValueCookie == null ? "" : protectionValueCookie.Value; heContext.Session.SessionFixationProtection = randomPart; heContext.PendingSessionProtectionValidation = false; HttpCookie cookie = new HttpCookie(heContext.AppInfo.SessionFixationProtectionCookieName, randomPart); cookie.Path = SESSION_FIXATION_PROTECTION_COOKIE_PATH; SecureCookieUtils.setSecureCookie(cookie, heContext.Context.Response); if (Settings.GetBool(Settings.Configs.DebugSessionFixationProtection)) { GeneralLog.StaticWrite(DateTime.Now, heContext.Session.SessionID, heContext.AppInfo.eSpaceId, 0, heContext.Session.UserId, "OldSessionFixationProtectionCookie (" + heContext.Session.SessionFixationProtectionOld + "); NewSessionFixationProtectionCookie(" + heContext.Session.SessionFixationProtection + ")", "INFO", "SESSION", null); } heContext.Session.SessionFixationProtectionExpirationInstant = DateTime.Now.AddSeconds(Settings.GetInt(Settings.Configs.SessionFixationAllowedOverlapWindowInSecs)); } } } }
internal static void DeleteCookie(HeContext heContext, string cookieName, string cookiePath) { var cookie = GetCookieByName(heContext.Context.Request.Cookies, cookieName); if (cookie != null) { cookie.Value = String.Empty; cookie.Path = cookiePath; cookie.Expires = DateTime.Now; SecureCookieUtils.setSecureCookie(cookie, heContext.Context.Response); } }
public static void ValidateSessionFixationCookieAgainstSession(HeContext heContext) { // Process SessionFixationProtection cookie if (!heContext.IsReadOnlySessionRequest) { if (Settings.GetBool(Settings.Configs.EnableSessionFixationProtection) && heContext.Session.TerminalType == "WEB") { string protectionValueInSession = heContext.Session.SessionFixationProtection; if (protectionValueInSession != null && heContext.PendingSessionProtectionValidation) { HttpCookie protectionValueCookie = GetCookieByName(heContext.Context.Request.Cookies, heContext.AppInfo.SessionFixationProtectionCookieName); heContext.PendingSessionProtectionValidation = false; if (protectionValueCookie == null || (protectionValueCookie != null && !protectionValueInSession.Equals(protectionValueCookie.Value))) { if (Settings.GetBool(Settings.Configs.DebugSessionFixationProtection)) { GeneralLog.StaticWrite(DateTime.Now, heContext.Session.SessionID, heContext.AppInfo.eSpaceId, 0, heContext.Session.UserId, "Session fixation mismatch with current cookie (session:" + protectionValueInSession + " cookie:" + (protectionValueCookie == null ? "null" : protectionValueCookie.Value) + ")", "INFO", "SESSION", null); } var protectionValueCookieValue = protectionValueCookie == null || protectionValueCookie.Value == null ? "" : protectionValueCookie.Value; if (DateTime.Now < heContext.Session.SessionFixationProtectionExpirationInstant && heContext.Session.SessionFixationProtectionOld.Equals(protectionValueCookieValue)) { //previous session fixation cookie still accepted within the timeframe //send current cookie again HttpCookie cookie = new HttpCookie(heContext.AppInfo.SessionFixationProtectionCookieName, heContext.Session.SessionFixationProtection); cookie.Path = SESSION_FIXATION_PROTECTION_COOKIE_PATH; SecureCookieUtils.setSecureCookie(cookie, heContext.Context.Response); if (Settings.GetBool(Settings.Configs.DebugSessionFixationProtection)) { GeneralLog.StaticWrite(DateTime.Now, heContext.Session.SessionID, heContext.AppInfo.eSpaceId, 0, heContext.Session.UserId, "(repeat) CurrentSessionFixationProtectionCookie (" + heContext.Session.SessionFixationProtection + ")", "INFO", "SESSION", null); } return; } if (Settings.GetBool(Settings.Configs.DebugSessionFixationProtection)) { GeneralLog.StaticWrite(DateTime.Now, heContext.Session.SessionID, heContext.AppInfo.eSpaceId, 0, heContext.Session.UserId, "Session fixation mismatch with old cookie (old:" + heContext.Session.SessionFixationProtectionOld + " cookie:" + (protectionValueCookie == null ? "null" : protectionValueCookie.Value) + ")", "INFO", "SESSION", null); } // Clear the session cookie to avoid locking the user to an invalid session in the next request. This might not work when we have session cookies bound to the domain, // but it would help the rare case when people get locked with no reason to simply retry the request and continue. DeleteSessionCookie(heContext); throw new Exception("Session fixation mismatch"); } } } } }
private static void AddOrUpdatePersistentLoginEntryAndCookie(HeContext heContext, Transaction trans, int tenantId, int userId, int persistentLoginId, DateTime expirationDateTime, string operationName) { if (persistentLoginId == 0 || expirationDateTime == DateTime.MinValue) { int daysToRememberLogin = Settings.GetInt(Settings.Configs.RememberLoginTimeoutInDays); TimeSpan timeSpan = new TimeSpan(daysToRememberLogin, 0, 0, 0); expirationDateTime = DateTime.Now.Add(timeSpan); } // This method is not protected by UseSessionFixationProtection() on purpose // What happens here is supposed to happen, regardless of the value of that setting string terminalType = heContext.Session.TerminalType; bool addCookieToResponse = false; string cookieValue; switch (heContext.Session.TerminalType) { case "SMS": cookieValue = heContext.Session.MSISDN; break; case "WEB": default: terminalType = "WEB"; addCookieToResponse = true; cookieValue = Guid.NewGuid().ToString(); break; } DBRuntimePlatform.Instance.AddOrUpdatePersistentLoginEntry(trans, persistentLoginId, tenantId, userId, cookieValue, expirationDateTime, terminalType, operationName); if (addCookieToResponse) { HttpCookie cookie = new HttpCookie(heContext.AppInfo.PersitentLoginCookieName, cookieValue); cookie.Path = PERSISTENT_LOGIN_COOKIE_PATH; cookie.Expires = expirationDateTime; SecureCookieUtils.setSecureCookie(cookie, heContext.Context.Response); } }
private static void AddOrUpdatePersistentLoginEntryAndCookie(HeContext heContext, Transaction trans, int tenantId, int userId, int persistentLoginId, DateTime expirationDateTime, string operationName) { if (persistentLoginId == 0 || expirationDateTime == DateTime.MinValue) { int daysToRememberLogin = RuntimePlatformSettings.Authentication.RememberLoginTimeoutInDays.GetValue(); TimeSpan timeSpan = new TimeSpan(daysToRememberLogin, 0, 0, 0); expirationDateTime = DateTime.Now.Add(timeSpan); } // This method is not protected by UseSessionFixationProtection() on purpose // What happens here is supposed to happen, regardless of the value of that setting string cookieValue = Guid.NewGuid().ToString(); DBRuntimePlatform.Instance.AddOrUpdatePersistentLoginEntry(trans, persistentLoginId, tenantId, userId, cookieValue, expirationDateTime, /*terminalType*/ "WEB", operationName); HttpCookie cookie = new HttpCookie(heContext.AppInfo.PersitentLoginCookieName, cookieValue) { Path = PERSISTENT_LOGIN_COOKIE_PATH, Expires = expirationDateTime }; SecureCookieUtils.setSecureCookie(cookie, heContext.Context.Response); }