public void Security_ReturnUrlAndSecureCookie(HostType hostType) { using (ApplicationDeployer deployer = new ApplicationDeployer()) { string applicationUrl = deployer.Deploy(hostType, ReturnUrlAndSecureCookieConfiguration); string secureServerUri = new UriBuilder(applicationUrl) { Scheme = Uri.UriSchemeHttps }.Uri.AbsoluteUri; HttpClientHandler handler = new HttpClientHandler(); HttpClient httpClient = new HttpClient(handler); // Unauthenticated request - verify Redirect url HttpResponseMessage response = httpClient.GetAsync(applicationUrl).Result; CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page", "MyRedirectUrl"); var validCookieCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test") }); response = httpClient.PostAsync(response.RequestMessage.RequestUri, validCookieCredentials).Result; response.EnsureSuccessStatusCode(); //Verify cookie sent Assert.False(handler.CookieContainer.Count != 1, "Forms auth cookie not received automatically after successful login"); Cookie loginCookie = handler.CookieContainer.GetCookies(new Uri(secureServerUri))[0]; Assert.Equal(loginCookie.Secure, true); } }
public void Security_CustomSecureDataHandler(HostType hostType) { using (ApplicationDeployer deployer = new ApplicationDeployer()) { string applicationUrl = deployer.Deploy(hostType, CustomSecureDataHandlerConfiguration); string homePath = applicationUrl + "Auth/Home"; string logoutPath = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath); var handler = new HttpClientHandler(); var httpClient = new HttpClient(handler); // Unauthenticated request var response = httpClient.GetAsync(applicationUrl).Result; CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page"); // Valid credentials var validCookieCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test") }); response = httpClient.PostAsync(response.RequestMessage.RequestUri, validCookieCredentials).Result; Assert.Equal <string>("OnResponseSignedIn.CustomSecureDataHandler", response.Content.ReadAsStringAsync().Result); Assert.Equal <string>(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri); var cookieBackup = handler.CookieContainer.GetCookies(new Uri(applicationUrl))[".AspNet.Cookies"]; for (int retryCount = 0; retryCount < 10; retryCount++) { response = httpClient.GetAsync(applicationUrl).Result; Assert.Equal <string>("CustomSecureDataHandler", response.Content.ReadAsStringAsync().Result); Assert.Equal <string>(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri); } //Logout the client response = httpClient.GetAsync(logoutPath).Result; Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout"); Assert.Equal <string>("Welcome Home", response.Content.ReadAsStringAsync().Result); //Try login with a corrupt cookie to see that Exception notification is triggered. handler.CookieContainer.Add(new Cookie("ExceptionTrigger", "true", "/", cookieBackup.Domain)); handler.CookieContainer.Add(cookieBackup); response = httpClient.GetAsync(applicationUrl).Result; Assert.Equal <string>("OnException.CustomSecureDataHandler", response.Content.ReadAsStringAsync().Result); } }
public void Security_PersistentCookie(HostType hostType) { using (ApplicationDeployer deployer = new ApplicationDeployer()) { string applicationUrl = deployer.Deploy(hostType, PersistentCookieConfiguration); string homePath = applicationUrl + "Auth/Home"; string logoutPath = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath); var handler = new HttpClientHandler(); var httpClient = new HttpClient(handler); // Unauthenticated request var response = httpClient.GetAsync(applicationUrl).Result; CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page"); // Valid credentials var validPersistingCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test"), new kvp("rememberme", "on") }); response = httpClient.PostAsync(response.RequestMessage.RequestUri, validPersistingCredentials).Result; response.EnsureSuccessStatusCode(); Assert.Equal <string>(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri); //Verify cookie sent Assert.True(handler.CookieContainer.Count == 1, "Did not receive one cookie as expected"); var cookie = handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0]; Assert.True(cookie != null && cookie.Name == "KATANACOOKIE", "Cookie with name 'KATANACOOKIE' not found"); Assert.True((cookie.Expires - DateTime.Now).Days > 10, "Did not receive a persistent cookie"); //Logout the client response = httpClient.GetAsync(logoutPath).Result; Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout"); Assert.Equal <string>(homePath, response.RequestMessage.RequestUri.AbsoluteUri); //Try accessing protected resource again. It should get redirected to login page response = httpClient.GetAsync(applicationUrl).Result; CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry"); } }
public void Security_HttpCookieOnlyAndCookiePath(HostType hostType) { using (ApplicationDeployer deployer = new ApplicationDeployer()) { string applicationUrl = deployer.Deploy(hostType, HttpCookieOnlyAndCookiePathConfiguration); string passiveAuthLoginPage = applicationUrl + "Auth/PassiveAuthLogin"; string homePath = applicationUrl + "Auth/Home"; string logoutPath = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath); var handler = new HttpClientHandler(); var httpClient = new HttpClient(handler); var response = httpClient.GetAsync(passiveAuthLoginPage).Result; CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, passiveAuthLoginPage, "Unauthenticated requests not automatically redirected to login page"); var validCookieCredentials = new FormUrlEncodedContent(new kvp[] { new kvp("username", "test"), new kvp("password", "test") }); response = httpClient.PostAsync(response.RequestMessage.RequestUri, validCookieCredentials).Result; //Verify cookie sent Assert.Equal(2, handler.CookieContainer.Count); CookieCollection cookies = handler.CookieContainer.GetCookies(new Uri(applicationUrl + "Auth")); Cookie applicationCookie = cookies[CookieAuthenticationDefaults.CookiePrefix + "Application"]; Cookie temporaryCookie = cookies["TemporaryCookie"]; Assert.NotNull(applicationCookie); Assert.NotNull(temporaryCookie); Assert.True(applicationCookie.HttpOnly); Assert.Equal("/", applicationCookie.Path); Assert.False(temporaryCookie.HttpOnly); Assert.Equal(temporaryCookie.Path, new Uri(applicationUrl).AbsolutePath + "Auth"); Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri); //Logout the client response = httpClient.GetAsync(logoutPath).Result; Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout"); Assert.Equal(homePath, response.RequestMessage.RequestUri.AbsoluteUri); } }
public void Security_CookiesAuthDefaults(HostType hostType) { using (ApplicationDeployer deployer = new ApplicationDeployer()) { string applicationUrl = deployer.Deploy(hostType, CookieAuthDefaultsConfiguration); string homePath = applicationUrl + "Auth/Home"; string logoutPath = applicationUrl + string.Format("Auth/Logout?ReturnUrl={0}", new Uri(homePath).AbsolutePath); var handler = new HttpClientHandler(); var httpClient = new HttpClient(handler); // Unauthenticated request var response = httpClient.GetAsync(applicationUrl).Result; CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Unauthenticated requests not automatically redirected to login page"); // Invalid credentials test for (int retryCount = 0; retryCount < 2; retryCount++) { response = httpClient.PostAsync(response.RequestMessage.RequestUri, GetInValidCookieCredentials()).Result; CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Invalid credentials - not automatically redirecting to login page with proper ReturnUrl"); } // Valid credentials response = httpClient.PostAsync(response.RequestMessage.RequestUri, GetValidCookieCredentials()).Result; Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri); //Verify cookie sent Assert.False(handler.CookieContainer.Count != 1 || handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Name != "KATANACOOKIE", string.Format("Forms auth cookie with expected name '{0}' not received automatically after successful login", "KATANACOOKIE")); //Retry multiple times with valid cookie to test sliding expiration for (int retryCount = 0; retryCount < 3; retryCount++) { Thread.Sleep(2 * 1000); response = httpClient.GetAsync(applicationUrl).Result; response.EnsureSuccessStatusCode(); Assert.Equal("ProtectedResource", response.Content.ReadAsStringAsync().Result); Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri); } //Expire the cookie & verify if request is redirected to login page again Thread.Sleep(3 * 1000); response = httpClient.GetAsync(applicationUrl).Result; response.EnsureSuccessStatusCode(); CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry"); //Reauthenticate with valid cookie & verify if protected resource is accessible again response = httpClient.PostAsync(response.RequestMessage.RequestUri, GetValidCookieCredentials()).Result; Assert.Equal("ProtectedResource", response.Content.ReadAsStringAsync().Result); Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri); //Make one successful call response = httpClient.GetAsync(applicationUrl).Result; //Now corrupt the cookie to see if this gets redirected to login page string backUpCookieValue = handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Value; handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Value = "invalid cookie value"; response = httpClient.GetAsync(applicationUrl).Result; CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry"); //put back the valid cookie & verify protected resource is accessible again handler.CookieContainer.GetCookies(new Uri(applicationUrl))[0].Value = backUpCookieValue; response = httpClient.GetAsync(applicationUrl).Result; Assert.Equal("ProtectedResource", response.Content.ReadAsStringAsync().Result); Assert.Equal(applicationUrl, response.RequestMessage.RequestUri.AbsoluteUri); //Logout the client response = httpClient.GetAsync(logoutPath).Result; Assert.True(handler.CookieContainer.Count == 0, "Cookie is not cleared on logout"); Assert.Equal("Welcome Home", response.Content.ReadAsStringAsync().Result); //Try accessing protected resource again. It should get redirected to login page response = httpClient.GetAsync(applicationUrl).Result; CookiesCommon.IsRedirectedToCookiesLogin(response.RequestMessage.RequestUri, applicationUrl, "Request not automatically redirected to login page after cookie expiry"); } }