/// <summary> /// Encrypt and sign the cookie contents /// </summary> /// <param name="cookieValue">Plain text cookie value</param> /// <param name="configuration">Current configuration</param> /// <returns>Encrypted and signed string</returns> private static string EncryptAndSignCookie(string cookieValue, AuthenticatorConfiguration authenticatorConfiguration) { string encryptedCookie = authenticatorConfiguration.CryptographyConfiguration.EncryptionProvider.Encrypt(cookieValue); byte[] hmacBytes = authenticatorConfiguration.CryptographyConfiguration.HmacProvider.GenerateHmac(encryptedCookie); string hmacstring = Convert.ToBase64String(hmacBytes); return String.Format("{1}{0}", encryptedCookie, hmacstring); }
/// <summary> /// Decrypt and validate an encrypted and signed cookie value /// </summary> /// <param name="cookieValue">Encrypted and signed cookie value</param> /// <param name="configuration">Current configuration</param> /// <returns>Decrypted value, or empty on error or if failed validation</returns> internal static string DecryptAndValidateAuthenticationCookie(string cookieValue, AuthenticatorConfiguration configuration) { // TODO - shouldn't this be automatically decoded by nancy cookie when that change is made? var decodedCookie = HttpUtility.UrlDecode(cookieValue); var hmacStringLength = Base64Helpers.GetBase64Length(configuration.CryptographyConfiguration.HmacProvider.HmacLength); var encryptedCookie = decodedCookie.Substring(hmacStringLength); var hmacString = decodedCookie.Substring(0, hmacStringLength); var encryptionProvider = configuration.CryptographyConfiguration.EncryptionProvider; // Check the hmacs, but don't early exit if they don't match var hmacBytes = Convert.FromBase64String(hmacString); var newHmac = configuration.CryptographyConfiguration.HmacProvider.GenerateHmac(encryptedCookie); var hmacValid = HmacComparer.Compare(newHmac, hmacBytes, configuration.CryptographyConfiguration.HmacProvider.HmacLength); var decrypted = encryptionProvider.Decrypt(encryptedCookie); // Only return the decrypted result if the hmac was ok return hmacValid ? decrypted : String.Empty; }
static Authenticator() { _authenticatorConfiguration = new AuthenticatorConfiguration(); }
/// <summary> /// Build the forms authentication cookie /// </summary> /// <param name="userIdentifier">Authenticated user identifier</param> /// <param name="cookieExpiryDate">Optional expiry date for the cookie (for 'Remember me')</param> /// <param name="authenticatorConfiguration">Current configuration</param> /// <returns>Nancy cookie instance</returns> internal static INancyCookie CreateEncryptedAndSignedAuthenticationCookie(Guid userIdentifier, DateTime? cookieExpiryDate, AuthenticatorConfiguration authenticatorConfiguration) { string cookieContents = EncryptAndSignCookie(userIdentifier.ToString(), authenticatorConfiguration); return new NancyCookie("mix.auth", cookieContents, true) { Expires = cookieExpiryDate }; }