Пример #1
0
        // copy constructor
        public AntiForgeryData(AntiForgeryData token) {
            if (token == null) {
                throw new ArgumentNullException("token");
            }

            CreationDate = token.CreationDate;
            Salt = token.Salt;
            Username = token.Username;
            Value = token.Value;
        }
Пример #2
0
        // copy constructor
        public AntiForgeryData(AntiForgeryData token)
        {
            if (token == null)
            {
                throw new ArgumentNullException("token");
            }

            CreationDate = token.CreationDate;
            Salt         = token.Salt;
            Username     = token.Username;
            Value        = token.Value;
        }
        public HtmlString GetHtml(HttpContextBase httpContext, string salt, string domain, string path)
        {
            Debug.Assert(httpContext != null);

            string formValue = GetAntiForgeryTokenAndSetCookie(httpContext, salt, domain, path);
            string fieldName = AntiForgeryData.GetAntiForgeryTokenName(null);

            TagBuilder builder = new TagBuilder("input");

            builder.Attributes["type"]  = "hidden";
            builder.Attributes["name"]  = fieldName;
            builder.Attributes["value"] = formValue;
            return(new HtmlString(builder.ToString(TagRenderMode.SelfClosing)));
        }
        public virtual string Serialize(AntiForgeryData token)
        {
            if (token == null)
            {
                throw new ArgumentNullException("token");
            }

            using (MemoryStream stream = new MemoryStream())
                using (BinaryWriter writer = new BinaryWriter(stream)) {
                    writer.Write(token.Salt);
                    writer.Write(token.Value);
                    writer.Write(token.CreationDate.Ticks);
                    writer.Write(token.Username);

                    return(Encoder(stream.ToArray()));
                }
        }
        public void Validate(HttpContextBase context, string salt)
        {
            Debug.Assert(context != null);

            string fieldName  = AntiForgeryData.GetAntiForgeryTokenName(null);
            string cookieName = AntiForgeryData.GetAntiForgeryTokenName(context.Request.ApplicationPath);

            HttpCookie cookie = context.Request.Cookies[cookieName];

            if (cookie == null || String.IsNullOrEmpty(cookie.Value))
            {
                // error: cookie token is missing
                throw CreateValidationException();
            }
            AntiForgeryData cookieToken = Serializer.Deserialize(cookie.Value);

            string formValue = context.Request.Form[fieldName];

            if (String.IsNullOrEmpty(formValue))
            {
                // error: form token is missing
                throw CreateValidationException();
            }
            AntiForgeryData formToken = Serializer.Deserialize(formValue);

            if (!String.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal))
            {
                // error: form token does not match cookie token
                throw CreateValidationException();
            }

            string currentUsername = AntiForgeryData.GetUsername(context.User);

            if (!String.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase))
            {
                // error: form token is not valid for this user
                // (don't care about cookie token)
                throw CreateValidationException();
            }

            if (!String.Equals(salt ?? String.Empty, formToken.Salt, StringComparison.Ordinal))
            {
                // error: custom validation failed
                throw CreateValidationException();
            }
        }
        private string GetAntiForgeryTokenAndSetCookie(HttpContextBase httpContext, string salt, string domain, string path)
        {
            string cookieName = AntiForgeryData.GetAntiForgeryTokenName(httpContext.Request.ApplicationPath);

            AntiForgeryData cookieToken = null;
            HttpCookie      cookie      = httpContext.Request.Cookies[cookieName];

            if (cookie != null)
            {
                try
                {
                    cookieToken = Serializer.Deserialize(cookie.Value);
                }
                catch (HttpAntiForgeryException)
                {
                }
            }

            if (cookieToken == null)
            {
                cookieToken = AntiForgeryData.NewToken();
                string cookieValue = Serializer.Serialize(cookieToken);

                HttpCookie newCookie = new HttpCookie(cookieName, cookieValue)
                {
                    HttpOnly = true, Domain = domain
                };
                if (!String.IsNullOrEmpty(path))
                {
                    newCookie.Path = path;
                }
                httpContext.Response.Cookies.Set(newCookie);
            }

            AntiForgeryData formToken = new AntiForgeryData(cookieToken)
            {
                Salt     = salt,
                Username = AntiForgeryData.GetUsername(httpContext.User)
            };

            return(Serializer.Serialize(formToken));
        }