public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}
var cookieName = CsrfData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath);
var cookie = filterContext.HttpContext.Request.Cookies[cookieName];
if (cookie == null || string.IsNullOrEmpty(cookie.Value))
{
// error: cookie token is missing
throw CreateValidationException();
}
var cookieToken = Serializer.Deserialize(cookie.Value);
// Token is either in a traditional form POST or in an AJAX
var formValue = filterContext.HttpContext.Request.IsAjaxRequest()
? filterContext.HttpContext.Request.Headers[CsrfData.GetAntiForgeryTokenHeaderName()]
: filterContext.HttpContext.Request[CsrfData.GetAntiForgeryTokenName(null)];
if (string.IsNullOrEmpty(formValue))
{
// error: form token is missing
throw CreateValidationException();
}
var formToken = Serializer.Deserialize(formValue);
if (!string.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal))
{
// error: form token does not match cookie token
throw CreateValidationException();
}
var currentUsername = CsrfData.GetUsername(filterContext.HttpContext.User);
if (!String.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase))
{
// error: form token is not valid for this user
// (don't care about cookie token)
throw CreateValidationException();
}
if (!ValidateFormToken(formToken))
{
// error: custom validation failed
throw CreateValidationException();
}
}
private bool ValidateFormToken(CsrfData token)
{
return(String.Equals(Salt, token.Salt, StringComparison.Ordinal));
}
