/// <summary> Invalidate the old session after copying all of its contents to a newly created session with a new session id.
/// Note that this is different from logging out and creating a new session identifier that does not contain the
/// existing session contents. Care should be taken to use this only when the existing session does not contain
/// hazardous contents.
///
/// </summary>
/// <returns> The invaldiated session.
/// </returns>
/// <seealso cref="Owasp.Esapi.Interfaces.IHttpUtilities.ChangeSessionIdentifier()">
/// </seealso>
public IHttpSession ChangeSessionIdentifier()
{
IHttpRequest request = ((Authenticator)Esapi.Authenticator()).CurrentRequest;
IHttpResponse response = ((Authenticator)Esapi.Authenticator()).CurrentResponse;
IHttpSession session = ((Authenticator)Esapi.Authenticator()).CurrentSession;
IDictionary temp = new Hashtable();
// make a copy of the session content
IEnumerator e = session.GetEnumerator();
while (e != null && e.MoveNext())
{
string name = (string)e.Current;
object val = session[name];
temp[name] = val;
}
// invalidate the old session and create a new one
// This hack comes from here: http://support.microsoft.com/?kbid=899918
session.Abandon();
response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
// copy back the session content
IEnumerator i = new ArrayList(temp).GetEnumerator();
while (i.MoveNext())
{
DictionaryEntry entry = (DictionaryEntry)i.Current;
session.Add((string)entry.Key, entry.Value);
}
return(session);
}
/// <summary>
/// Authenticates the user with a given password.
/// </summary>
/// <param name="password">The password to use for authentication.</param>
/// <seealso cref="Owasp.Esapi.Interfaces.IUser.LoginWithPassword(string)">
/// </seealso>
public void LoginWithPassword(string password)
{
if (password == null || password.Equals(""))
{
SetLastFailedLoginTime(DateTime.Now);
throw new AuthenticationLoginException("Login failed", "Missing password: "******"Login failed", "Disabled user attempt to login: "******"Login failed", "Locked user attempt to login: "******"Login failed", "Expired user attempt to login: "******"User logged in: " + accountName);
}
else
{
throw new AuthenticationLoginException("Login failed", "Login attempt as " + AccountName + " failed");
}
}
catch (EncryptionException ee)
{
throw new AuthenticationException("Internal error", "Error verifying password for " + accountName, ee);
}
}
private Cart GetCartFromSession(IHttpSession session)
{
if (!session.Contains("shoppingCart"))
{
session.Add("shoppingCart", new Cart());
}
return(session.Get <Cart>("shoppingCart"));
}
public IHttpResponse Greeting(IHttpRequest request)
{
IHttpSession session = request.Session;
Dictionary <string, string> formData = request.FormData;
if (session.Get("firstName") == null)
{
session.Add("firstName", formData["firstName"]);
}
else if (session.Get("lastName") == null)
{
session.Add("lastName", formData["lastName"]);
}
else if (session.Get("age") == null)
{
session.Add("age", formData["age"]);
}
return(new RedirectResponse("/greeting"));
}
public static ShoppingCart GetShoppingCart(this IHttpSession session)
{
ShoppingCart shoppingCart = session.Get <ShoppingCart>(CurrentShoppingCartSessionKey);
if (shoppingCart == null)
{
shoppingCart = new ShoppingCart();
session.Add(CurrentShoppingCartSessionKey, shoppingCart);
}
return(shoppingCart);
}
//GET /testsession
public IHttpResponse SessionTest(IHttpRequest req)
{
IHttpSession session = req.Session;
const string sessionDateKey = "saved_date";
if (session.Get(sessionDateKey) == null)
{
session.Add(sessionDateKey, DateTime.UtcNow);
}
return(new ViewResponse(HttpStatusCode.Ok, new SessionTestView((DateTime)session.Get(sessionDateKey))));
}
public IHttpResponse SessionTest(IHttpRequest request)
{
IHttpSession session = request.Session;
if (session.GetParameter("Logged_in") == null)
{
session.Add("Logged_in", DateTime.UtcNow);
}
DateTime loggedInTime = (DateTime)session.GetParameter("Logged_in");
var response = new ViewResponse(HttpStatusCode.OK, new SessionTestView(loggedInTime));
return(response);
}
public IHttpResponse Login(IHttpSession session, Dictionary <string, string> formData)
{
string email = formData["email"];
string password = formData["password"];
LoginViewModel user = this.userService.GetByMailAndPass(email, password);
if (user != null)
{
session.Add(SessionStore.CurrentUserKey, user);
return(new RedirectResponse("/"));
}
return(this.FileViewResponse("Account/login"));
}
internal IHttpResponse Login(IHttpSession session, Dictionary <string, string> formData)
{
string usernameOrEmail = formData["username"];
string password = formData["password"];
string username = this.userService.GetByMailOrPass(usernameOrEmail, password);
if (username == null)
{
this.InsertErrorMessage(AppConstants.LogInError);
this.SetGuestView();
return(this.FileViewResponse("/Users/login"));
}
session.Add(SessionStore.CurrentUserKey, username);
return(new RedirectResponse("/"));
}
internal IHttpResponse Register(IHttpSession session, Dictionary <string, string> formData)
{
string username = formData["username"];
string password = formData["password"];
string confirmedPassword = formData["confirmed-password"];
string email = formData["email"];
RegisterViewModel model = new RegisterViewModel()
{
Username = username,
Password = password,
ConfirmedPassword = confirmedPassword,
Email = email
};
if (!Validation.TryValidate(model))
{
this.InsertErrorMessage(AppConstants.InputUserDataError);
this.SetGuestView();
return(this.FileViewResponse("/Users/register"));
}
bool success = this.userService.CreateUser(model);
if (!success)
{
this.InsertErrorMessage(AppConstants.UsernameOrEmailAlreadyExist);
this.SetGuestView();
return(this.FileViewResponse("/Users/register"));
}
session.Add(SessionStore.CurrentUserKey, model.Username);
return(new RedirectResponse("/"));
}
public IHttpResponse Login(IHttpSession session, LoginUserViewModel model)
{
string error = this.ValidateModel(model);
if (error != null)
{
return(this.ErrorMessageResponse(error, FilePaths.UserLogin));
}
string email = model.Email;
string password = model.Password;
if (!this.UserService.Login(email, password))
{
// Check for not existing user.
return(this.ErrorMessageResponse(ErrorMessages.UserNotExist, FilePaths.UserLogin));
}
session.Add(SessionKeys.CurrentUser, email);
this.ShowUserNavBar(email);
return(new RedirectResponse(UrlPaths.Home));
}
