public AntiForgeryToken GetCookieToken(HttpRequestMessage httpContext)
{
CookieHeaderValue cookie = httpContext.Headers.GetCookies(m_config.CookieName).FirstOrDefault();
string cookieValue = cookie?[m_config.CookieName].Value;
if (string.IsNullOrEmpty(cookieValue))
{
return(null);
}
return(AntiForgeryTokenSerializer.Deserialize(cookieValue));
}
public AntiForgeryToken GetFormToken(HttpRequestMessage request)
{
PostData postData = request.GetPostData();
string formValue = postData.FormData[m_config.FormFieldName];
if (string.IsNullOrEmpty(formValue))
{
request.QueryParameters().TryGetValue(m_config.FormFieldName, out formValue);
}
if (string.IsNullOrEmpty(formValue))
{
return(null);
}
return(AntiForgeryTokenSerializer.Deserialize(formValue));
}
public void SaveCookieToken(HttpResponseMessage response, AntiForgeryToken token)
{
string serializedToken = AntiForgeryTokenSerializer.Serialize(token);
CookieHeaderValue newCookie = new CookieHeaderValue(m_config.CookieName, serializedToken)
{
HttpOnly = true
};
// Note: don't use "newCookie.Secure = _config.RequireSSL;" since the default
// value of newCookie.Secure is automatically populated from the <httpCookies>
// config element.
if (m_config.RequireSSL)
{
newCookie.Secure = true;
}
response.Headers.AddCookies(new[] { newCookie });
}
// [ ENTRY POINT ]
// Generates an anti-XSRF token pair for the current user. The return
// value is the hidden input form element that should be rendered in
// the <form>. This method has a side effect: it may set a response
// cookie.
public TagBuilder GetFormInputElement(HttpResponseMessage response)
{
CheckSSLConfig(response.RequestMessage);
AntiForgeryToken oldCookieToken = GetCookieTokenNoThrow(response.RequestMessage);
AntiForgeryToken newCookieToken, formToken;
GetTokens(response.RequestMessage, oldCookieToken, out newCookieToken, out formToken);
// If a new cookie was generated, persist it.
if (newCookieToken != null)
{
m_tokenStore.SaveCookieToken(response, newCookieToken);
}
if (!m_config.SuppressXFrameOptionsHeader)
{
// Adding X-Frame-Options header to prevent ClickJacking. See
// http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-10
// for more information.
const string FrameHeaderName = "X-Frame-Options";
if (!response.Headers.Contains(FrameHeaderName))
{
response.Headers.Add(FrameHeaderName, "SAMEORIGIN");
}
}
// <input type="hidden" name="__AntiForgeryToken" value="..." />
TagBuilder retVal = new TagBuilder("input");
retVal.Attributes["type"] = "hidden";
retVal.Attributes["name"] = m_config.FormFieldName;
retVal.Attributes["value"] = AntiForgeryTokenSerializer.Serialize(formToken);
return(retVal);
}
private AntiForgeryToken DeserializeToken(string serializedToken)
{
return(!string.IsNullOrEmpty(serializedToken) ? AntiForgeryTokenSerializer.Deserialize(serializedToken) : null);
}
private string Serialize(AntiForgeryToken token)
{
return(token != null?AntiForgeryTokenSerializer.Serialize(token) : null);
}