예제 #1
0
        protected void Session_Start(object sender, EventArgs e)
        {
            foreach (AppSessionItem item in AppSession.AppSessionConfig.SessionItems)
            {
                AppSession.SetSession(item.Name, item.Value, Session);
            }

            AppSession.SetSession("CSRF_TOKEN", AuthenUtil.GenerateToken(), Session);
        }
예제 #2
0
        public static QueryResult ForgetPassword(QueryParameter queryParameter)
        {
            QueryResult result = null;
            string      userID = queryParameter["USER_ID"].ToString();

            IDatabaseConnector dbConnector = new DatabaseConnectorClass();
            QueryParameter     param       = new QueryParameter();

            param.Add("USER_ID", userID);
            QueryResult queryResult = dbConnector.ExecuteStoredProcedure("UM_USER_Q", param);

            if (queryResult.Success)
            {
                string userEmail = queryResult.DataTable.Rows[0]["EMAIL"].ToString();
                string token     = AuthenUtil.GetStringSha256Hash(AuthenUtil.GenerateToken());

                param = new QueryParameter();
                param.Add("USER_ID", userID);
                param.Add("TOKEN", token);

                result = dbConnector.ExecuteStoredProcedure("APP_FORGET_PWD_TOKEN_I", param);

                if (result.Success)
                {
                    string passwordResetUrl = string.Format("http://localhost/WebApp/resetpassword.aspx?userID={0}&token={1}", userID, token);

                    QueryParameter mailParameter = new QueryParameter();
                    mailParameter.Add("MAIL_TO", userEmail);
                    mailParameter.Add("MAIL_SUBJECT", "Reset Password");
                    mailParameter.Add("MAIL_BODY", string.Format(@"
                        <h1>Reset Password</h1>
                        <div>
                            You have requested to reset password for account {0} <br/>
                            <b>Plase contact administrator if you have not issued reset password request.</b>
                        </div>
                        <br/>
                        Click <a href=""{1}"">here</a> to reset password.
                    ", userID, passwordResetUrl));

                    result = MailUtil.SendEmail(mailParameter);
                }
            }
            else
            {
                result         = new QueryResult();
                result.Success = false;
                result.Message = "USER_NOT_EXIST";
            }

            return(result);
        }
예제 #3
0
        public static QueryResult UpdateUser(QueryParameter queryParameter)
        {
            queryParameter = new QueryParameter(queryParameter.Parameter);

            if (queryParameter.Parameter.ContainsKey("PASSWORD"))
            {
                string password     = queryParameter["PASSWORD"].ToString();
                string hashPassword = AuthenUtil.GetStringSha256Hash(password);
                queryParameter.Add("PASSWORD", hashPassword);
            }

            IDatabaseConnector dbConnector = new DatabaseConnectorClass();
            QueryResult        queryResult = dbConnector.ExecuteStoredProcedure("UM_USER_U", queryParameter);

            return(queryResult);
        }
예제 #4
0
        public static void Logout(HttpSessionState Session, HttpResponse Response = null)
        {
            IDatabaseConnector dbConnector     = new DatabaseConnectorClass();
            QueryParameter     logoutParameter = new QueryParameter();
            QueryResult        logoutResult    = new QueryResult();

            if (Session != null)
            {
                if (AppSession.GetSession("USER_ID", Session) != null)
                {
                    string userID = AppSession.GetSession("USER_ID", Session).ToString();

                    if (AppSession.GetSession("AUTHEN_TOKEN", Session) != null)
                    {
                        AuthenUtil.ClearToken(userID, AppSession.GetSession("AUTHEN_TOKEN", Session).ToString());
                    }

                    logoutParameter.Add("USER_ID", userID);
                    logoutResult         = dbConnector.ExecuteStoredProcedure("SYS_I_LOGOUT", logoutParameter);
                    logoutResult.Success = true;
                    logoutResult.Message = string.Empty;
                    logoutResult.RemoveOutputParam("error");
                }

                AppSession.SetSession("USER_ID", null, Session);
                AppSession.SetSession("AUTHEN_TOKEN", null, Session);
                AppSession.SetSession("IS_GUEST", true, Session);

                //ถ้าอยาก clear session จะต้องบังคับให้ client refresh หน้าเว็บด้วยนะ เพราะต้อง regen CSRF ด้วย
                Session.Clear();
                Session.Abandon();
            }

            if (Response != null)
            {
                HttpCookie authenTokenCookie = new HttpCookie("AUTHEN_TOKEN");
                authenTokenCookie.Value = "";
                Response.Cookies.Add(authenTokenCookie);

                //ถ้าอยาก clear session จะต้องบังคับให้ client refresh หน้าเว็บด้วยนะ เพราะต้อง regen CSRF ด้วย
                Response.Cookies["esrith.session.id"].Expires = DateTime.Now.AddDays(-30);

                Response.ClearContent();
                Response.ContentType = "application/json";
                Response.Write(logoutResult.ToJson());
            }
        }
예제 #5
0
        public static QueryResult Login(HttpContext context, QueryParameter queryParameter)
        {
            queryParameter = new QueryParameter(queryParameter.Parameter);
            if (queryParameter.Parameter.ContainsKey("PASSWORD"))
            {
                string password     = queryParameter["PASSWORD"].ToString();
                string hashPassword = AuthenUtil.GetStringSha256Hash(password);
                queryParameter.Add("PASSWORD", hashPassword);
            }

            IDatabaseConnector dbConnector = new DatabaseConnectorClass();
            QueryResult        queryResult = dbConnector.ExecuteStoredProcedure("APP_LOGIN_Q", queryParameter);

            if (queryResult.Success && queryResult.DataTable != null && queryResult.DataTable.Rows.Count > 0)
            {
                foreach (DataColumn dataColumn in queryResult.DataTable.Columns)
                {
                    foreach (AppSessionItem sessionItem in AppSession.AppSessionConfig.SessionItems)
                    {
                        if (sessionItem.Name.Equals(dataColumn.ColumnName))
                        {
                            AppSession.SetSession(dataColumn.ColumnName, queryResult.DataTable.Rows[0][dataColumn.ColumnName], context.Session);
                            break;
                        }
                    }
                }

                string userID = AppSession.GetSession("USER_ID", context.Session).ToString();
                string token  = AuthenUtil.GenerateToken();

                AppSession.SetSession("AUTHEN_TOKEN", token, context.Session);
                AppSession.SetSession("IS_GUEST", false, context.Session);

                if (AppHttpHandler.AppHttpHandlerConfig.Security.EnableDuplicateAuthenChecking)
                {
                    AuthenUtil.StoreToken(userID, token);
                }

                // ถ้าต้องการให้ retrun ค่าของ USER_ID ไปด้วยให้ลบบรรทัดนี้เลย
                queryResult.DataTable.Columns.Remove("USER_ID");
            }
            return(queryResult);
        }
예제 #6
0
        public static void ProcessRequest(HttpContext context, QueryParameter queryParameter, AuthenUtil.AuthenMode authenMode)
        {
            //Set Encoding.
            context.Response.ContentEncoding = Encoding.UTF8;

            // Security checks
            string errorMessage = "";

            if (!AuthenUtil.IsValidAuthen(context.Request, context.Session, authenMode, out errorMessage))
            {
                //message can be "DUPLICATE_LOGIN", "NOT_AUTHORIZED"
                throw new Exception(errorMessage);
            }

            if (!CSRF.IsCSRFTokenMatch(context.Session, queryParameter))
            {
                throw new Exception("CSRF_TOKEN_MISMATCH");
            }
        }
        protected void Page_Load(object sender, EventArgs e)
        {
            string userID = Request.Params["userID"];
            string token  = Request.Params["token"];

            if (userID != null && token != null)
            {
                IDatabaseConnector dbConnector = new DatabaseConnectorClass();
                QueryParameter     param       = new QueryParameter();
                QueryResult        queryResult = null;

                // check if userId, token is valid.

                param = new QueryParameter();
                param.Add("USER_ID", userID);
                param.Add("TOKEN", token);
                queryResult = dbConnector.ExecuteStoredProcedure("APP_FORGET_PWD_TOKEN_MATCH", param);

                if (!queryResult.Success)
                {
                    this.PasswordResetForm.Visible = false;

                    if (queryResult.Message == "TOKEN_EXPIRED")
                    {
                        this.Message.Text = "URL is expired";
                    }
                    else
                    {
                        this.Message.Text = "Unauthorized";
                    }
                }

                //if this request come form asp.net webform, then
                //  check if password == confirmpassword
                if (IsPostBack)
                {
                    string password        = this.Password.Text.Trim();
                    string passwordConfirm = this.PasswordConfirm.Text;

                    if (password.Length == 0)
                    {
                        this.Message.Text = "Password is empty";
                    }
                    else if (password != passwordConfirm)
                    {
                        this.Message.Text = "Password is not match";
                    }
                    else
                    {
                        string hashPassword = AuthenUtil.GetStringSha256Hash(password);

                        param = new QueryParameter();
                        param.Add("USER_ID", userID);
                        param.Add("PASSWORD", hashPassword);

                        queryResult = dbConnector.ExecuteStoredProcedure("UM_USER_PWD_U", param);

                        if (queryResult.Success)
                        {
                            param = new QueryParameter();
                            param.Add("USER_ID", userID);
                            queryResult = dbConnector.ExecuteStoredProcedure("APP_FORGET_PWD_TOKEN_D", param);

                            this.PasswordResetForm.Visible = false;
                            this.Message.Text = "Password reset successful. Please go to login page.";
                        }
                    }
                }
            }
            else
            {
                this.PasswordResetForm.Visible = false;
                this.Message.Text = "Unauthorized";
            }
        }