public ActionResult SwitchAffiliateForms(string to, string nonce, string authCode, string affId, string background, string color, string callback, string newCookie) { var shouldMatch = Current.MakeAuthCode(new { nonce, to, affId, background, color, callback, newCookie }); if (shouldMatch != authCode) { return(GenericSecurityError()); } Nonces.MarkUsed(nonce, Current.RemoteIP); bool addCookie; if (bool.TryParse(newCookie, out addCookie) && addCookie) { Current.GenerateAnonymousXSRFCookie(); // Pull the callback forward into the new cookie var cookie = System.Web.HttpContext.Current.CookieSentOrReceived(Current.AnonymousCookieName); Current.AddToCache(CallbackKey(cookie), callback, TimeSpan.FromMinutes(15)); } switch (to) { case "login": var cookie = System.Web.HttpContext.Current.CookieSentOrReceived(Current.AnonymousCookieName); return(LoginIFrame(null, background, color)); case "signup": return(SignupIFrame(null, background, color)); } return(UnexpectedState("Tried to switch to an unknown form [" + to + "]")); }
/// <summary> /// Returns true if the parameters contain a valid signature for a request. /// </summary> private static bool VerifySignature(Dictionary <string, string> @params, out Affiliate validFor, out string failureReason) { if ([email protected]("authCode") || [email protected]("affId") || [email protected]("nonce")) { validFor = null; failureReason = "Missing parameter"; return(false); } validFor = null; var authCode = @params["authCode"].ToString(); int affId; if (!int.TryParse(@params["affId"], out affId)) { failureReason = "No affId"; return(false); } var nonce = @params["nonce"].ToString(); string nonceMsg; if (!Nonces.IsValid(nonce, Current.RemoteIP, out nonceMsg)) { failureReason = "Invalid Nonce [" + nonceMsg + "]"; return(false); } var affiliate = Current.ReadDB.Affiliates.SingleOrDefault(a => a.Id == affId); if (affiliate == null) { failureReason = "Could not find affiliate"; return(false); } var copy = new Dictionary <string, string>(); foreach (var item in @params.Keys.Where(k => k != "authCode")) { copy[item] = @params[item]; } if (authCode.HasValue() && !affiliate.ConfirmSignature(authCode, Current.RequestUri.AbsolutePath, copy)) { failureReason = "Affiliate signature confirmation failed"; return(false); } validFor = affiliate; Nonces.MarkUsed(nonce, Current.RemoteIP); failureReason = null; return(true); }
public void DoubleNonceUseFails() { string ignored; for (int i = 0; i < 1000000; i++) { var nonce = Nonces.Create(); Assert.IsTrue(Nonces.IsValid(nonce, "127.0.0.1", out ignored), "Failed on " + nonce); Nonces.MarkUsed(nonce, "127.0.0.1"); Assert.IsFalse(Nonces.IsValid(nonce, "127.0.0.2", out ignored), "Accepted twice " + nonce); } }