/// <summary> /// Ensures that the current session contains data for the authenticated user. /// </summary> public static IClient CheckSession(this HttpContextBase context, IProvider provider) { if (context == null) { throw new ArgumentNullException("context"); } if (provider == null) { throw new ArgumentNullException("provider"); } IClient model = null; if (context.User.Identity.IsAuthenticated) { model = context.CurrentUser(provider); } else { // this provides a secret backdoor mechanism for logging in by providing the parameter // cid in the querystring, no password required (!) - seems like a very bad idea - maybe // this was a debugging thing that wasn't removed? added IsProduction check to be safe if (!provider.IsProduction()) { var qs = context.Request.QueryString; if (qs.AllKeys.Contains("cid")) { if (int.TryParse(qs["cid"], out int cid)) { model = provider.Data.Client.GetClient(cid); if (model != null) { var user = new GenericPrincipal(new GenericIdentity(model.UserName), model.Roles()); context.User = user; context.Session[SessionKeys.UserName] = model.UserName; } } } } } return(context.CheckSession(provider, model)); }