internal RequestAnalysis(ContextInformation context, FormsAuthenticationCookieAnalysis formsAuthenticationCookieResult, FormsAuthenticationTicketAnalysis formsAuthenticationTicketResult, UserAuthenticationTicketAnalysis userAuthenticationTicketResult) { Context = context; FormsAuthenticationCookieResult = formsAuthenticationCookieResult; FormsAuthenticationTicketResult = formsAuthenticationTicketResult; UserAuthenticationTicketResult = userAuthenticationTicketResult; }
/// <summary> /// Retrieve and analyze the UserAuthenticationTicket /// </summary> /// <param name="contextInformation">Context information derived from the current request</param> /// <param name="cookieAnalysis">The result of the FormsAuthenticationCookie analysis</param> /// <param name="ticketAnalysis">The result of the FormsAuthenticationTicket analysis</param> /// <param name="enforceHostAddressValidation">Indicates whether to enforce that the ticket was provided from the same IP address for which it created</param> /// <returns>A UserAuthenticationTicketAnalysis object containing the results of the analysis</returns> public static UserAuthenticationTicketAnalysis AnalyzeServerAuthenticationTicket(ContextInformation contextInformation, FormsAuthenticationCookieAnalysis cookieAnalysis, FormsAuthenticationTicketAnalysis ticketAnalysis, bool enforceHostAddressValidation) { UserAuthenticationTicket serverAuthTicket = ticketAnalysis.GetServerAuthenticationTicket(); return AnalyzeServerAuthenticationTicket(contextInformation, cookieAnalysis, ticketAnalysis, serverAuthTicket, enforceHostAddressValidation); }
/// <summary> /// Perform analysis of the UserAuthenticationTicket supplied /// </summary> /// <param name="contextInformation">Context information derived from the current request</param> /// <param name="cookieAnalysis">The result of the FormsAuthenticationCookie analysis</param> /// <param name="ticketAnalysis">The result of the FormsAuthenticationTicket analysis</param> /// <param name="userAuthenticationTicket">The UserAuthenticationTicket to inspect</param> /// <param name="enforceHostAddressValidation">Indicates whether to enforce that the ticket was provided from the same IP address for which it created</param> /// <returns>A UserAuthenticationTicketAnalysis object containing the results of the analysis</returns> public static UserAuthenticationTicketAnalysis AnalyzeServerAuthenticationTicket(ContextInformation contextInformation, FormsAuthenticationCookieAnalysis cookieAnalysis, FormsAuthenticationTicketAnalysis ticketAnalysis, UserAuthenticationTicket userAuthenticationTicket, bool enforceHostAddressValidation) { UserAuthenticationTicketAnalysis analysis = new UserAuthenticationTicketAnalysis(); HttpCookie formsAuthCookie = cookieAnalysis.FormsAuthenticationCookie; FormsAuthenticationTicket formsAuthTicket = ticketAnalysis.FormsAuthenticationTicket; analysis.TicketExists = (userAuthenticationTicket != null); if (analysis.TicketExists) { analysis.UserAuthenticationTicket = userAuthenticationTicket; if (userAuthenticationTicket != null) { analysis.CookieDomainMatch = (userAuthenticationTicket.CookieDomain == formsAuthCookie.Domain); analysis.CookiePathMatch = (userAuthenticationTicket.CookiePath == formsAuthTicket.CookiePath && formsAuthTicket.CookiePath == formsAuthCookie.Path); analysis.CookieSecureMatch = (userAuthenticationTicket.CookieSecure == formsAuthCookie.Secure); /* analysis.ExpirationMatch = (DateTime.Compare(UserAuthenticationTicket.TicketExpiration, formsAuthTicket.Expiration) == 0 && DateTime.Compare(formsAuthTicket.Expiration, formsAuthCookie.Expires) == 0); */ analysis.CookieNameMatch = (userAuthenticationTicket.CookieName == formsAuthCookie.Name); analysis.TicketPersistenceMatch = (userAuthenticationTicket.TicketIsPersistent == formsAuthTicket.IsPersistent); analysis.TicketIssueDateMatch = (DateTime.Compare(userAuthenticationTicket.TicketIssueDate, formsAuthTicket.IssueDate) == 0); analysis.TicketUsernameMatch = (userAuthenticationTicket.Username == formsAuthTicket.Name); analysis.TicketVersionMatch = (userAuthenticationTicket.TicketVersion == formsAuthTicket.Version); analysis.TicketHashMatch = (userAuthenticationTicket.TicketHash == ticketAnalysis.TicketHash); analysis.HostAddressMatch = (userAuthenticationTicket.HostAddress == contextInformation.HostAddress); } analysis.IsValid = analysis.CookieDomainMatch && analysis.CookiePathMatch && analysis.CookieSecureMatch && /* analysis.ExpirationMatch && */ analysis.CookieNameMatch && analysis.TicketPersistenceMatch && analysis.TicketIssueDateMatch && analysis.TicketUsernameMatch && analysis.TicketVersionMatch && analysis.TicketHashMatch && (!enforceHostAddressValidation || analysis.HostAddressMatch); if (!analysis.IsValid) { analysis.IsMalicious = !analysis.CookieDomainMatch || !analysis.CookiePathMatch || !analysis.CookieSecureMatch || /* !analysis.ExpirationMatch || */ !analysis.CookieNameMatch || !analysis.TicketPersistenceMatch || !analysis.TicketIssueDateMatch || !analysis.TicketUsernameMatch || !analysis.TicketVersionMatch || !analysis.TicketHashMatch || (enforceHostAddressValidation && !analysis.HostAddressMatch); } } else { analysis.IsValid = false; analysis.IsMalicious = false; } return analysis; }
/// <summary> /// Perform analysis of the FormsAuthenticationTicket supplied /// </summary> /// <param name="cookieAnalysis">The result of the FormsAuthenticationCookie analysis</param> /// <param name="enforceServerAuthenticationTicketValidation">Indicates whether to enforce UserAuthenticationTicket validation</param> /// <param name="isEndRequest">Indicates whether the analysis is occurring during the EndRequest phase of the execution pipeline</param> /// <returns>A FormsAuthenticationTicketAnalysis object containing the results of the analysis</returns> public static FormsAuthenticationTicketAnalysis AnalyzeFormsAuthenticationTicket(FormsAuthenticationCookieAnalysis cookieAnalysis, bool enforceServerAuthenticationTicketValidation, bool isEndRequest) { FormsAuthenticationTicketAnalysis analysis = new FormsAuthenticationTicketAnalysis(); FormsAuthenticationTicket ticket = cookieAnalysis.GetFormsAuthenticationTicket(); analysis.TicketExists = (ticket != null); if (analysis.TicketExists) { if (cookieAnalysis.HasValue && ticket != null) { DateTime netFramework2ReleaseDate = new DateTime(2006, 1, 22); analysis.FormsAuthenticationTicket = ticket; analysis.TicketExists = true; analysis.CookiePathMatches = (ticket.CookiePath == FormsAuthentication.FormsCookiePath); analysis.HasUserData = (!string.IsNullOrEmpty(ticket.UserData)); analysis.IsExpired = ticket.Expired || ticket.Expiration.CompareTo(DateTime.Now) < 0; analysis.IsIssueDateValid = (ticket.IssueDate.CompareTo(netFramework2ReleaseDate) > 0); analysis.IsNameValid = (!string.IsNullOrEmpty(ticket.Name)); // && ticket.Name == ContextInformation.ThreadCurrentPrincipalIdentityName && ticket.Name == ContextInformation.UserIdentityName); analysis.HasUserData = !string.IsNullOrEmpty(ticket.UserData); analysis.IsPersistenceValid = true; /* TODO: See how to check this in FormsAuthentication */ string guid = null; if (ticket.UserData != null && ticket.UserData.Length == UserAuthentication.HashAlgorithmStringLength + UserAuthentication.GuidStringLength + 1 && ticket.UserData[UserAuthentication.HashAlgorithmStringLength] == ';') { string[] parts = ticket.UserData.Split(';'); if (parts.Length == 2) { string hash = parts[0]; analysis.UserDataContainsHash = true; for (int i = 0; i < hash.Length; i++) { if (!((hash[i] >= 0x30 && hash[i] <= 0x39) /* 0-9 */ /* || (hash[i] >= 0x41 && hash[i] <= 0x46) A-F (lowercase only!) */ || (hash[i] >= 0x61 && hash[i] <= 0x66))) /* a-f */ { analysis.UserDataContainsHash = false; break; } } if (analysis.UserDataContainsHash) { analysis.TicketHash = hash; string actualHash = UserAuthentication.CalculateFormsAuthTicketHash(ticket); analysis.IsUserDataHashValid = (hash == actualHash); } guid = parts[1]; try { #pragma warning disable 168 Guid testGuidCreation = new Guid(guid); #pragma warning restore 168 analysis.ServerKey = parts[1]; analysis.UserDataContainsServerAuthenticationTicketKey = true; } catch (FormatException) { analysis.UserDataContainsServerAuthenticationTicketKey = false; } catch (OverflowException) { analysis.UserDataContainsServerAuthenticationTicketKey = false; } catch (ArgumentNullException) { analysis.UserDataContainsServerAuthenticationTicketKey = false; } } else { analysis.UserDataContainsHash = false; analysis.UserDataContainsServerAuthenticationTicketKey = false; } } else { analysis.UserDataContainsHash = false; analysis.UserDataContainsServerAuthenticationTicketKey = false; } if (!string.IsNullOrEmpty(guid)) { UserAuthenticationTicket serverAuthenticationTicket = UserAuthentication.Provider.GetTicket(guid); if (serverAuthenticationTicket != null) { analysis.UserDataServerAuthenticationTicketKeyFound = true; analysis.SetServerAuthenticationTicket(serverAuthenticationTicket); } else { analysis.UserDataServerAuthenticationTicketKeyFound = false; } } else { analysis.UserDataServerAuthenticationTicketKeyFound = false; } analysis.IsVersionValid = (ticket.Version == 2); analysis.IsValid = analysis.TicketExists && analysis.CookiePathMatches && !analysis.IsExpired && analysis.IsIssueDateValid && analysis.IsNameValid && analysis.IsPersistenceValid && analysis.IsVersionValid; /* && (!enforceServerAuthenticationTicketValidation || analysis.HasUserData) && (!enforceServerAuthenticationTicketValidation || analysis.UserDataContainsHash) && (!enforceServerAuthenticationTicketValidation || analysis.IsUserDataHashValid) && (!enforceServerAuthenticationTicketValidation || analysis.UserDataContainsServerAuthenticationTicketKey) && (!enforceServerAuthenticationTicketValidation || analysis.UserDataServerAuthenticationTicketKeyFound) && (!enforceServerAuthenticationTicketValidation || UserAuthenticationTicket != null); */ if (!analysis.IsValid) { analysis.IsMalicious = !analysis.CookiePathMatches || !analysis.IsPersistenceValid || !analysis.IsIssueDateValid || !analysis.IsNameValid || !analysis.IsVersionValid; /* if (!analysis.IsMalicious && enforceServerAuthenticationTicketValidation && !isEndRequest) { analysis.IsMalicious = !analysis.HasUserData || !analysis.UserDataContainsHash || !analysis.IsUserDataHashValid || !analysis.UserDataContainsServerAuthenticationTicketKey; } */ } } else { analysis.IsValid = false; analysis.IsMalicious = false; } } else { analysis.IsValid = false; analysis.IsMalicious = false; } return analysis; }