public void Login(int userId, int tenantId, string username, bool isPersistent, bool hasSessionStorage) { var previousLoginId = httpCookie.IsAnonymous ? null : httpCookie.LoginId; userCookie = new UserAccessibleLoginCookieValue { UserId = userId, Username = username, CSRFToken = SecureTokenGenerator.Instance.GenerateCSRFToken() }; mobileLoginInfo = new MobileLoginInfo { UserId = userId, TenantId = tenantId, IsPersistent = isPersistent }; httpCookie = new HttpOnlyLoginCookieValue { LoginId = MobileLoginReadWriter.Write(configuration.EncryptKey, mobileLoginInfo) }; if (hasSessionStorage) { CreateMobileLoginInfo(httpCookie.LoginId, previousLoginId); } csrfToken = userCookie.CSRFToken; dirty = true; }
public void Validate(bool ignoreCSRFToken) { if (!ignoreCSRFToken && csrfToken == null) // Unacceptable { throw new InvalidLoginException("Invalid CSRF request"); } if (httpCookie == null || userCookie == null) { Anonymize(); } if (!ValidSignature()) { // Downgrade to anonymous cookies. // You might be wondering why we let the guy go as anonymous // we do this so that when we change the cookie format // users can upgrade their login cookies by logging in again. Anonymize(); } if (!ignoreCSRFToken && !csrfToken.SlowEquals(userCookie.CSRFToken)) // Unaceptable { throw new InvalidLoginException("Invalid CSRF request"); } if (!IsAnonymous) { mobileLoginInfo = MobileLoginReadWriter.Read(configuration.EncryptKey, httpCookie.LoginId); } else { mobileLoginInfo = new MobileLoginInfo { TenantId = configuration.DefaultTenantId }; } if (userCookie.UserId != mobileLoginInfo.UserId) { throw new InvalidLoginException("Inconsistent Login Info"); } }