/// <summary> Invalidate the old session after copying all of its contents to a newly created session with a new session id.
        /// Note that this is different from logging out and creating a new session identifier that does not contain the
        /// existing session contents. Care should be taken to use this only when the existing session does not contain
        /// hazardous contents.
        ///
        /// </summary>
        /// <returns> The invaldiated session.
        /// </returns>
        /// <seealso cref="Owasp.Esapi.Interfaces.IHttpUtilities.ChangeSessionIdentifier()">
        /// </seealso>
        public IHttpSession ChangeSessionIdentifier()
        {
            IHttpRequest  request  = ((Authenticator)Esapi.Authenticator()).CurrentRequest;
            IHttpResponse response = ((Authenticator)Esapi.Authenticator()).CurrentResponse;
            IHttpSession  session  = ((Authenticator)Esapi.Authenticator()).CurrentSession;
            IDictionary   temp     = new Hashtable();


            // make a copy of the session content
            IEnumerator e = session.GetEnumerator();

            while (e != null && e.MoveNext())
            {
                string name = (string)e.Current;
                object val  = session[name];
                temp[name] = val;
            }

            // invalidate the old session and create a new one

            // This hack comes from here: http://support.microsoft.com/?kbid=899918
            session.Abandon();
            response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

            // copy back the session content
            IEnumerator i = new ArrayList(temp).GetEnumerator();

            while (i.MoveNext())
            {
                DictionaryEntry entry = (DictionaryEntry)i.Current;
                session.Add((string)entry.Key, entry.Value);
            }
            return(session);
        }
Пример #2
0
        /// <summary> Logout this user.</summary>
        /// <seealso cref="Owasp.Esapi.Interfaces.IUser.Logout()">
        /// </seealso>
        public void Logout()
        {
            Authenticator authenticator = ((Authenticator)Esapi.Authenticator());

            if (!authenticator.GetCurrentUser().Anonymous)
            {
                IHttpRequest request = authenticator.CurrentRequest;
                IHttpSession session = authenticator.Context.Session;
                if (session != null)
                {
                    session.Abandon();
                }
                // TODO - Kill the correct cookie
                Esapi.HttpUtilities().KillCookie("ASPSESSIONID");
                loggedIn = false;
                logger.LogSuccess(ILogger_Fields.SECURITY, "Logout successful");
                authenticator.SetCurrentUser(authenticator.anonymous);
            }
        }