public void Login(int userId, int tenantId, string username, bool isPersistent, bool hasSessionStorage)
{
var previousLoginId = httpCookie.IsAnonymous ? null : httpCookie.LoginId;
userCookie = new UserAccessibleLoginCookieValue {
UserId = userId,
Username = username,
CSRFToken = SecureTokenGenerator.Instance.GenerateCSRFToken()
};
mobileLoginInfo = new MobileLoginInfo {
UserId = userId,
TenantId = tenantId,
IsPersistent = isPersistent
};
httpCookie = new HttpOnlyLoginCookieValue {
LoginId = MobileLoginReadWriter.Write(configuration.EncryptKey, mobileLoginInfo)
};
if (hasSessionStorage)
{
CreateMobileLoginInfo(httpCookie.LoginId, previousLoginId);
}
csrfToken = userCookie.CSRFToken;
dirty = true;
}
public void Validate(bool ignoreCSRFToken)
{
if (!ignoreCSRFToken && csrfToken == null) // Unacceptable
{
throw new InvalidLoginException("Invalid CSRF request");
}
if (httpCookie == null || userCookie == null)
{
Anonymize();
}
if (!ValidSignature())
{
// Downgrade to anonymous cookies.
// You might be wondering why we let the guy go as anonymous
// we do this so that when we change the cookie format
// users can upgrade their login cookies by logging in again.
Anonymize();
}
if (!ignoreCSRFToken && !csrfToken.SlowEquals(userCookie.CSRFToken)) // Unaceptable
{
throw new InvalidLoginException("Invalid CSRF request");
}
if (!IsAnonymous)
{
mobileLoginInfo = MobileLoginReadWriter.Read(configuration.EncryptKey, httpCookie.LoginId);
}
else
{
mobileLoginInfo = new MobileLoginInfo {
TenantId = configuration.DefaultTenantId
};
}
if (userCookie.UserId != mobileLoginInfo.UserId)
{
throw new InvalidLoginException("Inconsistent Login Info");
}
}
