/// <summary> /// Checks item expiration. /// </summary> private static void CheckExpiry(SessionStateStoreProviderBase provider) { bool locked; TimeSpan lockAge; object lockId; SessionStateActions actions; // Check that item is present. var res = provider.GetItem(HttpContext, Id, out locked, out lockAge, out lockId, out actions); Assert.IsNotNull(res); // Wait a minute and check again. Thread.Sleep(TimeSpan.FromMinutes(1.05)); res = provider.GetItem(HttpContext, Id, out locked, out lockAge, out lockId, out actions); Assert.IsNull(res); }
void regenerateId() { System.Web.SessionState.SessionIDManager manager = new System.Web.SessionState.SessionIDManager(); string oldId = manager.GetSessionID(Context); string newId = manager.CreateSessionID(Context); bool isAdd = false, isRedir = false; manager.SaveSessionID(Context, newId, out isRedir, out isAdd); HttpApplication ctx = (HttpApplication)HttpContext.Current.ApplicationInstance; HttpModuleCollection mods = ctx.Modules; System.Web.SessionState.SessionStateModule ssm = (SessionStateModule)mods.Get("Session"); System.Reflection.FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance); SessionStateStoreProviderBase store = null; System.Reflection.FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null; foreach (System.Reflection.FieldInfo field in fields) { if (field.Name.Equals("_store")) { store = (SessionStateStoreProviderBase)field.GetValue(ssm); } if (field.Name.Equals("_rqId")) { rqIdField = field; } if (field.Name.Equals("_rqLockId")) { rqLockIdField = field; } if (field.Name.Equals("_rqSessionStateNotFound")) { rqStateNotFoundField = field; } } object lockId = rqLockIdField.GetValue(ssm); if ((lockId != null) && (oldId != null)) { store.ReleaseItemExclusive(Context, oldId, lockId); } rqStateNotFoundField.SetValue(ssm, true); rqIdField.SetValue(ssm, newId); }
public override void Init() { base.Init(); try { // Get the app name from config file... string appName = ConfigurationManager.AppSettings["ApplicationName"]; if (!string.IsNullOrEmpty(appName)) { foreach (string moduleName in this.Modules) { IHttpModule module = this.Modules[moduleName]; SessionStateModule ssm = module as SessionStateModule; if (ssm != null) { FieldInfo storeInfo = typeof(SessionStateModule).GetField("_store", BindingFlags.Instance | BindingFlags.NonPublic); SessionStateStoreProviderBase store = (SessionStateStoreProviderBase)storeInfo.GetValue(ssm); if (store == null) //In IIS7 Integrated mode, module.Init() is called later { FieldInfo runtimeInfo = typeof(HttpRuntime).GetField("_theRuntime", BindingFlags.Static | BindingFlags.NonPublic); HttpRuntime theRuntime = (HttpRuntime)runtimeInfo.GetValue(null); FieldInfo appNameInfo = typeof(HttpRuntime).GetField("_appDomainAppId", BindingFlags.Instance | BindingFlags.NonPublic); appNameInfo.SetValue(theRuntime, appName); } else { Type storeType = store.GetType(); if (storeType.Name.Equals("OutOfProcSessionStateStore")) { FieldInfo uribaseInfo = storeType.GetField("s_uribase", BindingFlags.Static | BindingFlags.NonPublic); uribaseInfo.SetValue(storeType, appName); } } } } } } catch (Exception ex) { throw ex; } }
public override void Init() { base.Init(); foreach (string moduleName in this.Modules) { string appName = "APPNAME1"; IHttpModule module = this.Modules[moduleName]; SessionStateModule ssm = module as SessionStateModule; if (ssm != null) { FieldInfo storeInfo = typeof(SessionStateModule).GetField("_store", BindingFlags.Instance | BindingFlags.NonPublic); FieldInfo configMode = typeof(SessionStateModule).GetField("s_configMode", BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.Static); SessionStateMode mode = (SessionStateMode)configMode.GetValue(ssm); if (mode == SessionStateMode.StateServer) { SessionStateStoreProviderBase store = (SessionStateStoreProviderBase)storeInfo.GetValue(ssm); if (store == null)//In IIS7 Integrated mode, module.Init() is called later { FieldInfo runtimeInfo = typeof(HttpRuntime).GetField("_theRuntime", BindingFlags.Static | BindingFlags.NonPublic); HttpRuntime theRuntime = (HttpRuntime)runtimeInfo.GetValue(null); FieldInfo appNameInfo = typeof(HttpRuntime).GetField("_appDomainAppId", BindingFlags.Instance | BindingFlags.NonPublic); appNameInfo.SetValue(theRuntime, appName); } else { Type storeType = store.GetType(); if (storeType.Name.Equals("OutOfProcSessionStateStore")) { FieldInfo uribaseInfo = storeType.GetField("s_uribase", BindingFlags.Static | BindingFlags.NonPublic); uribaseInfo.SetValue(storeType, appName); object obj = null; uribaseInfo.GetValue(obj); } } } break; } } }
/// <summary> /// Checks the provider. /// </summary> private static void CheckProvider(SessionStateStoreProviderBase provider) { bool locked; TimeSpan lockAge; object lockId; SessionStateActions actions; provider.InitializeRequest(HttpContext); provider.CreateUninitializedItem(HttpContext, Id, 42); var data = provider.GetItem(HttpContext, Id, out locked, out lockAge, out lockId, out actions); Assert.IsNotNull(data); Assert.AreEqual(42, data.Timeout); Assert.IsFalse(locked); Assert.AreEqual(TimeSpan.Zero, lockAge); Assert.IsNull(lockId); Assert.AreEqual(SessionStateActions.None, actions); provider.ResetItemTimeout(HttpContext, Id); provider.EndRequest(HttpContext); provider.Dispose(); }
// adapted from https://stackoverflow.com/a/4420114/6121074 /// <summary> /// prevent http session fixation attack by generating a new http session ID upon login /// </summary> /// <remarks> /// https://www.owasp.org/index.php/Session_Fixation /// </remarks> /// <returns>new session ID</returns> public static string RegenerateSessionId() { // create a new session id var manager = new SessionIDManager(); var oldId = manager.GetSessionID(HttpContext.Current); var newId = manager.CreateSessionID(HttpContext.Current); bool redirected, cookieAdded; manager.SaveSessionID(HttpContext.Current, newId, out redirected, out cookieAdded); // retrieve the current session var application = HttpContext.Current.ApplicationInstance; var session = (SessionStateModule)application.Modules.Get("Session"); var fields = session.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance); // parse the session fields SessionStateStoreProviderBase store = null; FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null; SessionStateStoreData rqItem = null; foreach (var field in fields) { switch (field.Name) { case "_store": store = (SessionStateStoreProviderBase)field.GetValue(session); break; case "_rqId": rqIdField = field; break; case "_rqLockId": rqLockIdField = field; break; case "_rqSessionStateNotFound": rqStateNotFoundField = field; break; case "_rqItem": rqItem = (SessionStateStoreData)field.GetValue(session); break; } } // remove the session from the store var lockId = rqLockIdField.GetValue(session); if (lockId != null && oldId != null) { store.RemoveItem(HttpContext.Current, oldId, lockId, rqItem); } // assign the new id to the session // the session will be added back to the store, with the new id, on the next http request rqStateNotFoundField.SetValue(session, true); rqIdField.SetValue(session, newId); return(newId); }
public override void Initialize(string name, System.Collections.Specialized.NameValueCollection config) { var inProcSessionStoreType = typeof(SessionStateStoreProviderBase).Assembly.GetType("System.Web.SessionState.InProcSessionStateStore"); inProcSessionStore = (SessionStateStoreProviderBase)Activator.CreateInstance(inProcSessionStoreType); inProcSessionStore.Initialize(name, config); }