public void InjectHashInCookie(NancyContext context)
{
// ToDo: Get real cookie name
// ToDo: Should not use SingleOrDefault
var unsecureCookie = context.Response.Cookies.SingleOrDefault(c => c.Name == "_nsid");
if (unsecureCookie != null)
{
context.Response.Cookies.Remove(unsecureCookie);
var secureCookie = new SecureSessionCookie {
SessionId = unsecureCookie.Value,
Hash = _hashGenerator.GenerateHash(context.Request)
};
var replacementCookie = new NancyCookie(
unsecureCookie.Name,
secureCookie.ToString(),
unsecureCookie.HttpOnly,
unsecureCookie.Secure,
unsecureCookie.Expires);
context.Response.Cookies.Add(replacementCookie);
}
}
public bool IsSessionHijacked(Request request)
{
if (!_sessionDetector.IsInSession(request))
{
return(false);
}
// ToDo: use real cookie name
var secureCookie = _cookieReader.Read(request, "_nsid");
return(secureCookie == null || !secureCookie.IsSecured || secureCookie.Hash != _hashGenerator.GenerateHash(request));
}