| public static Decrypt ( string encryptedTicket ) : System.Web.Security.FormsAuthenticationTicket | ||
| encryptedTicket | string | |
| return | System.Web.Security.FormsAuthenticationTicket | |
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
// 1. 读登录Cookie
HttpCookie cookie = Request.Cookies[FA.FormsCookieName];
if (cookie == null || string.IsNullOrEmpty(cookie.Value))
{
return;
}
try
{
string userData = null;
// 2. 解密Cookie值,获取FormsAuthenticationTicket对象
FormsAuthenticationTicket ticket = FA.Decrypt(cookie.Value);
if (ticket != null && string.IsNullOrEmpty(ticket.UserData) == false)
{
// 3. 还原用户数据
userData = ticket.UserData;
}
//反序列化对象
Context.User = null;
}
catch { /* 有异常也不要抛出,防止攻击者试探。 */ }
}
}
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
// Private method for decrypting a cookie
private static FormsAuthenticationTicket ExtractTicketFromCookie(HttpContext context, String name, out bool cookielessTicket)
{
FormsAuthenticationTicket ticket = null;
string encValue = null;
bool ticketExpired = false;
bool badTicket = false;
try {
try {
////////////////////////////////////////////////////////////
// Step 0: Check if we should use cookieless
cookielessTicket = CookielessHelperClass.UseCookieless(context, false, FormsAuthentication.CookieMode);
////////////////////////////////////////////////////////////
// Step 1: Check URI/cookie for ticket
if (cookielessTicket)
{
encValue = context.CookielessHelper.GetCookieValue('F');
}
else
{
HttpCookie cookie = context.Request.Cookies[name];
if (cookie != null)
{
encValue = cookie.Value;
}
}
////////////////////////////////////////////////////////////
// Step 2: Decrypt encrypted ticket
if (encValue != null && encValue.Length > 1)
{
try {
ticket = FormsAuthentication.Decrypt(encValue);
} catch {
if (cookielessTicket)
{
context.CookielessHelper.SetCookieValue('F', null);
}
else
{
context.Request.Cookies.Remove(name);
}
badTicket = true;
//throw;
}
if (ticket == null)
{
badTicket = true;
}
if (ticket != null && !ticket.Expired)
{
if (cookielessTicket || !FormsAuthentication.RequireSSL || context.Request.IsSecureConnection) // Make sure it is NOT a secure cookie over an in-secure connection
{
return(ticket); // Found valid ticket
}
}
if (ticket != null && ticket.Expired)
{
ticketExpired = true;
}
// Step 2b: Remove expired/bad ticket
ticket = null;
if (cookielessTicket)
{
context.CookielessHelper.SetCookieValue('F', null);
}
else
{
context.Request.Cookies.Remove(name);
}
}
////////////////////////////////////////////////////////////
// Step 3: Look in QueryString
if (FormsAuthentication.EnableCrossAppRedirects)
{
encValue = context.Request.QueryString[name];
if (encValue != null && encValue.Length > 1)
{
if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect)
{
cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode); // find out for sure
}
try {
ticket = FormsAuthentication.Decrypt(encValue);
} catch {
badTicket = true;
//throw;
}
if (ticket == null)
{
badTicket = true;
}
}
// Step 3b: Look elsewhere in the request (i.e. posted body)
if (ticket == null || ticket.Expired)
{
encValue = context.Request.Form[name];
if (encValue != null && encValue.Length > 1)
{
if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect)
{
cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode); // find out for sure
}
try {
ticket = FormsAuthentication.Decrypt(encValue);
} catch {
badTicket = true;
//throw;
}
if (ticket == null)
{
badTicket = true;
}
}
}
}
if (ticket == null || ticket.Expired)
{
if (ticket != null && ticket.Expired)
{
ticketExpired = true;
}
return(null); // not found! Exit with null
}
if (FormsAuthentication.RequireSSL && !context.Request.IsSecureConnection) // Bad scenario: valid ticket over non-SSL
{
throw new HttpException(SR.GetString(SR.Connection_not_secure_creating_secure_cookie));
}
////////////////////////////////////////////////////////////
// Step 4: Create the cookie/URI value
if (cookielessTicket)
{
if (ticket.CookiePath != "/")
{
FormsAuthenticationTicket tempTicket = FormsAuthenticationTicket.FromUtc(ticket.Version, ticket.Name, ticket.IssueDateUtc,
ticket.ExpirationUtc, ticket.IsPersistent, ticket.UserData,
"/");
ticket = tempTicket;
encValue = FormsAuthentication.Encrypt(ticket);
}
context.CookielessHelper.SetCookieValue('F', encValue);
string strUrl = FormsAuthentication.RemoveQueryStringVariableFromUrl(context.Request.RawUrl, name);
context.Response.Redirect(strUrl);
}
else
{
HttpCookie cookie = new HttpCookie(name, encValue);
cookie.HttpOnly = true;
cookie.Path = ticket.CookiePath;
if (ticket.IsPersistent)
{
cookie.Expires = ticket.Expiration;
}
cookie.Secure = FormsAuthentication.RequireSSL;
if (FormsAuthentication.CookieDomain != null)
{
cookie.Domain = FormsAuthentication.CookieDomain;
}
cookie.SameSite = FormsAuthentication.CookieSameSite;
context.Response.Cookies.Remove(cookie.Name);
context.Response.Cookies.Add(cookie);
}
return(ticket);
} finally {
if (badTicket)
{
WebBaseEvent.RaiseSystemEvent(null, WebEventCodes.AuditFormsAuthenticationFailure,
WebEventCodes.InvalidTicketFailure);
}
else if (ticketExpired)
{
WebBaseEvent.RaiseSystemEvent(null, WebEventCodes.AuditFormsAuthenticationFailure,
WebEventCodes.ExpiredTicketFailure);
}
}
} catch {
throw;
}
}
void OnAuthenticateRequest(object sender, EventArgs args)
{
HttpApplication app = (HttpApplication)sender;
HttpContext context = app.Context;
string cookieName;
string cookiePath;
string loginPage;
bool slidingExpiration;
InitConfig(context);
if (_config == null || _config.Mode != AuthenticationMode.Forms)
{
return;
}
cookieName = _config.Forms.Name;
cookiePath = _config.Forms.Path;
loginPage = _config.Forms.LoginUrl;
slidingExpiration = _config.Forms.SlidingExpiration;
if (!VirtualPathUtility.IsRooted(loginPage))
{
loginPage = "~/" + loginPage;
}
string reqPath = String.Empty;
string loginPath = null;
try {
reqPath = context.Request.PhysicalPath;
loginPath = context.Request.MapPath(loginPage);
} catch {} // ignore
context.SkipAuthorization = String.Compare(reqPath, loginPath, RuntimeHelpers.CaseInsensitive, Helpers.InvariantCulture) == 0;
//TODO: need to check that the handler is System.Web.Handlers.AssemblyResourceLoader type
string filePath = context.Request.FilePath;
if (filePath.Length > 15 && String.CompareOrdinal("WebResource.axd", 0, filePath, filePath.Length - 15, 15) == 0)
{
context.SkipAuthorization = true;
}
FormsAuthenticationEventArgs formArgs = new FormsAuthenticationEventArgs(context);
FormsAuthenticationEventHandler eh = events [authenticateEvent] as FormsAuthenticationEventHandler;
if (eh != null)
{
eh(this, formArgs);
}
bool contextUserNull = (context.User == null);
if (formArgs.User != null || !contextUserNull)
{
if (contextUserNull)
{
context.User = formArgs.User;
}
return;
}
HttpCookie cookie = context.Request.Cookies [cookieName];
if (cookie == null || (cookie.Expires != DateTime.MinValue && cookie.Expires < DateTime.Now))
{
return;
}
FormsAuthenticationTicket ticket = null;
try {
ticket = FormsAuthentication.Decrypt(cookie.Value);
}
catch (ArgumentException) {
// incorrect cookie value, suppress the exception
return;
}
if (ticket == null || (!ticket.IsPersistent && ticket.Expired))
{
return;
}
FormsAuthenticationTicket oldticket = ticket;
if (slidingExpiration)
{
ticket = FormsAuthentication.RenewTicketIfOld(ticket);
}
context.User = new GenericPrincipal(new FormsIdentity(ticket), new string [0]);
if (cookie.Expires == DateTime.MinValue && oldticket == ticket)
{
return;
}
cookie.Value = FormsAuthentication.Encrypt(ticket);
cookie.Path = cookiePath;
if (ticket.IsPersistent)
{
cookie.Expires = ticket.Expiration;
}
context.Response.Cookies.Add(cookie);
}