/// <summary> /// Handles the request /// </summary> /// <returns>The awaitable task.</returns> /// <param name="context">The requests context.</param> public async Task <bool> HandleAsync(IHttpContext context) { var xsrf = context.Request.Headers[XSRFHeaderName] ?? context.Request.Cookies[XSRFCookieName]; var cookie = context.Request.Cookies[AuthSessionCookieName]; SessionRecord session = null; if (!string.IsNullOrWhiteSpace(xsrf)) { session = await ShortTermStorage.GetSessionFromXSRFAsync(xsrf); if (Utility.IsNullOrExpired(session)) { session = null; } else { await RefreshSessionTokensAsync(context, session); } } if (session == null && !string.IsNullOrWhiteSpace(cookie)) { session = await ShortTermStorage.GetSessionFromCookieAsync(cookie); if (Utility.IsNullOrExpired(session)) { session = null; } else { await RefreshSessionTokensAsync(context, session); } } // Check that we have not already set the XSRF cookie if (context.Response.Cookies.FirstOrDefault(x => x.Name == XSRFCookieName) == null) { if (session == null) { session = new SessionRecord() { XSRFToken = PRNG.GetRandomString(32), Expires = DateTime.Now.AddSeconds(ShortTermExpirationSeconds) }; await ShortTermStorage.AddSessionAsync(session); } // If the connection is using SSL, require SSL for the cookie var usingssl = context.Request.SslProtocol != System.Security.Authentication.SslProtocols.None; context.Response.AddCookie(XSRFCookieName, session.XSRFToken, expires: session.Expires, httponly: false, secure: usingssl); } return(false); }
/// <summary> /// Handles the request /// </summary> /// <returns>The awaitable task.</returns> /// <param name="context">The requests context.</param> public virtual async Task <bool> HandleAsync(IHttpContext context) { if (!ForceCheck && !string.IsNullOrWhiteSpace(context.Request.UserID)) { return(false); } var xsrf = context.Request.Headers[XSRFHeaderName]; var cookie = context.Request.Cookies[AuthSessionCookieName]; if (UseXSRFTokens && CheckXSRFToken && string.IsNullOrWhiteSpace(xsrf)) { return(SetXSRFError(context)); } if (UseXSRFTokens && CheckXSRFToken) { var session = await ShortTermStorage.GetSessionFromXSRFAsync(xsrf); if (Utility.IsNullOrExpired(session)) { return(SetXSRFError(context)); } if (string.IsNullOrWhiteSpace(cookie) || session.Cookie != cookie) { if (await LoginWithBasicAuth(context)) { return(false); } if (await PerformLongTermLogin(context)) { return(false); } // Check for a Hijack response if (context.Response.HasSentHeaders) { return(true); } return(SetLoginError(context)); } await RefreshSessionTokensAsync(context, session); context.Request.UserID = session.UserID; } else { SessionRecord session = null; if (!string.IsNullOrWhiteSpace(cookie)) { session = await ShortTermStorage.GetSessionFromCookieAsync(cookie); } if (Utility.IsNullOrExpired(session)) { if (await LoginWithBasicAuth(context)) { return(false); } if (await PerformLongTermLogin(context)) { return(false); } // Check for a Hijack response if (context.Response.HasSentHeaders) { return(true); } return(SetLoginError(context)); } await RefreshSessionTokensAsync(context, session); context.Request.UserID = session.UserID; } return(false); }
/// <summary> /// Handles the request /// </summary> /// <returns>The awaitable task.</returns> /// <param name="context">The requests context.</param> public async Task <bool> HandleAsync(IHttpContext context) { var xsrf = context.Request.Headers[XSRFHeaderName] ?? context.Request.Cookies[XSRFCookieName]; var cookie = context.Request.Cookies[AuthSessionCookieName]; var longterm = context.Request.Cookies[AuthCookieName]; var droppedxsrf = false; if (!string.IsNullOrWhiteSpace(xsrf)) { var session = await ShortTermStorage.GetSessionFromXSRFAsync(xsrf); if (session != null) { await ShortTermStorage.DropSessionAsync(session); droppedxsrf = true; } context.Response.AddCookie(XSRFCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0); } if (!string.IsNullOrWhiteSpace(cookie)) { var session = await ShortTermStorage.GetSessionFromCookieAsync(cookie); if (session != null) { await ShortTermStorage.DropSessionAsync(session); } if (session != null || droppedxsrf) { context.Response.AddCookie(AuthSessionCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0); } } if (!string.IsNullOrWhiteSpace(longterm)) { if (LongTermStorage != null) { var pbkdf2 = new LongTermCookie(longterm); if (pbkdf2.IsValid) { var lts = await LongTermStorage.GetLongTermLoginAsync(pbkdf2.Series); if (lts != null) { await LongTermStorage.DropLongTermLoginAsync(lts); } } } context.Response.AddCookie(AuthCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0); } context.Response.StatusCode = (HttpStatusCode)ResultStatusCode; context.Response.StatusMessage = ResultStatusMessage; if (!string.IsNullOrWhiteSpace(RedirectUrl)) { context.Response.Headers["Location"] = RedirectUrl; } return(true); }
/// <summary> /// Handles the request /// </summary> /// <returns>The awaitable task.</returns> /// <param name="context">The requests context.</param> public async Task <bool> HandleAsync(IHttpContext context) { var xsrf = context.Request.Headers[XSRFHeaderName] ?? context.Request.Cookies[XSRFCookieName]; var cookie = context.Request.Cookies[AuthSessionCookieName]; var longterm = context.Request.Cookies[AuthCookieName]; var droppedxsrf = false; if (!string.IsNullOrWhiteSpace(xsrf)) { var session = await ShortTermStorage.GetSessionFromXSRFAsync(xsrf); if (session != null) { // Kill the existing record await ShortTermStorage.DropSessionAsync(session); droppedxsrf = true; // Register a new one on the same XSRF token, // but without any user attached await ShortTermStorage.AddSessionAsync(new SessionRecord() { UserID = null, Cookie = null, XSRFToken = session.XSRFToken, Expires = DateTime.Now.AddSeconds(ShortTermExpirationSeconds) }); } //context.Response.AddCookie(XSRFCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0); } if (!string.IsNullOrWhiteSpace(cookie)) { var session = await ShortTermStorage.GetSessionFromCookieAsync(cookie); if (session != null) { await ShortTermStorage.DropSessionAsync(session); } if (session != null || droppedxsrf) { context.Response.AddCookie(AuthSessionCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0); } } if (!string.IsNullOrWhiteSpace(longterm)) { if (LongTermStorage != null) { var pbkdf2 = new LongTermCookie(longterm); if (pbkdf2.IsValid) { var lts = await LongTermStorage.GetLongTermLoginAsync(pbkdf2.Series); if (lts != null) { await LongTermStorage.DropLongTermLoginAsync(lts); } } } context.Response.AddCookie(AuthCookieName, "", path: CookiePath, expires: new DateTime(1970, 1, 1), maxage: 0); } context.Response.StatusCode = (HttpStatusCode)ResultStatusCode; context.Response.StatusMessage = ResultStatusMessage; if (!string.IsNullOrWhiteSpace(RedirectUrl)) { context.Response.Headers["Location"] = RedirectUrl; } return(true); }