Exemple #1
0
        protected void Application_BeginRequest(Object sender, EventArgs e)
        {
            #region XSS, SQL Injection 방지

            string originalPath = HttpContext.Current.Request.Path;
            string queryString  = string.Empty;

            if (HttpContext.Current.Request.QueryString.Count > 0)
            {
                queryString = HttpContext.Current.Request.QueryString.ToString();

                // Injection 문자 존재 여부
                bool hasInjectionCharacters;

                // Query String 에서 XSS, SQL Injection 공격에 사용되는 Single quotation, Dobule quotation, Semi colon 제거 / Less Than, Greater Than  치환
                queryString = HelperSecurity.WithoutInjectionCharacters(queryString, out hasInjectionCharacters);

                // Injection 문자가 존재할 경우, 메인 페이지로 Redirect
                if (hasInjectionCharacters)
                {
                    Context.RewritePath("/");
                }
                else
                {
                    Context.RewritePath(originalPath + "?" + queryString);
                }
            }

            #endregion / XSS, SQL Injection 방지
        }
Exemple #2
0
        public async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
        {
            var allowedOrigin = context.OwinContext.Get <string>("as:clientAllowedOrigin");

            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });

            string hashedTokenId = HelperSecurity.GetHash(context.Token);

            //using (AuthRepository _repo = new AuthRepository())
            using (var dbcontext = new ApplicationDbContext())
            {
                var repo         = new UserRepository(dbcontext);
                var refreshToken = await repo.FindRefreshToken(hashedTokenId);

                if (refreshToken != null)
                {
                    //Get protectedTicket from refreshToken class
                    context.DeserializeTicket(refreshToken.ProtectedTicket);
                    var result = await repo.RemoveRefreshToken(hashedTokenId);
                }
            }
        }
Exemple #3
0
        public async Task CreateAsync(AuthenticationTokenCreateContext context)
        {
            var clientid = context.Ticket.Properties.Dictionary["as:client_id"];

            if (string.IsNullOrEmpty(clientid))
            {
                return;
            }

            var refreshTokenId = Guid.NewGuid().ToString("n");

            using (var dbcontext = new ApplicationDbContext())
            {
                var repo = new UserRepository(dbcontext);
                var refreshTokenLifeTime = context.OwinContext.Get <string>("as:clientRefreshTokenLifeTime");

                var token = new RefreshToken()
                {
                    Id         = HelperSecurity.GetHash(refreshTokenId),
                    ClientId   = clientid,
                    Subject    = context.Ticket.Identity.Name,
                    IssuedUtc  = DateTime.UtcNow,
                    ExpiresUtc = DateTime.UtcNow.AddMinutes(Convert.ToDouble(refreshTokenLifeTime))
                };

                context.Ticket.Properties.IssuedUtc  = token.IssuedUtc;
                context.Ticket.Properties.ExpiresUtc = token.ExpiresUtc;

                token.ProtectedTicket = context.SerializeTicket();

                var result = await repo.AddRefreshToken(token);

                if (result)
                {
                    context.SetToken(refreshTokenId);
                }
            }
        }