//
// POST: /Account/LogOn
private void DoLogOn(LogOnModel model, string returnUrl)
{
try
{
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
var profile = TwoFactorProfile.GetByUserName(model.UserName);
if (profile != null && !string.IsNullOrEmpty(profile.TwoFactorSecret))
{
// Prevent the user from attempting to brute force the two factor secret.
// Without this, an attacker, if they know your password already, could try to brute
// force the two factor code. They only need to try 1,000,000 distinct codes in 3 minutes.
// This throttles them down to a managable level.
if (profile.LastLoginAttemptUtc.HasValue && profile.LastLoginAttemptUtc > DateTime.UtcNow - TimeSpan.FromSeconds(1))
{
System.Threading.Thread.Sleep(5000);
}
profile.LastLoginAttemptUtc = DateTime.UtcNow;
if (TimeBasedOneTimePassword.IsValid(profile.TwoFactorSecret, model.TwoFactorCode))
{
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") &&
!returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
{
AsyncManager.Parameters["returnUrl"] = returnUrl;
}
else
{
AsyncManager.Parameters["action"] = "Index";
AsyncManager.Parameters["controller"] = "Home";
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
AsyncManager.Parameters["model"] = model;
}
finally
{
AsyncManager.OutstandingOperations.Decrement();
}
}
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
var profile = TwoFactorProfile.GetByUserName(model.UserName);
if (profile != null && !string.IsNullOrEmpty(profile.TwoFactorSecret))
{
if (TimeBasedOneTimePassword.IsValid(profile.TwoFactorSecret, model.TwoFactorCode))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") &&
!returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
{
return(Redirect(returnUrl));
}
else
{
return(RedirectToAction("Index", "Home"));
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
// If we got this far, something failed, redisplay form
return(View(model));
} // end LogOn