public void SaveCookieToken(HttpResponseMessage response, AntiForgeryToken token) { string serializedToken = AntiForgeryTokenSerializer.Serialize(token); CookieHeaderValue newCookie = new CookieHeaderValue(m_config.CookieName, serializedToken) { HttpOnly = true }; // Note: don't use "newCookie.Secure = _config.RequireSSL;" since the default // value of newCookie.Secure is automatically populated from the <httpCookies> // config element. if (m_config.RequireSSL) { newCookie.Secure = true; } response.Headers.AddCookies(new[] { newCookie }); }
// [ ENTRY POINT ] // Generates an anti-XSRF token pair for the current user. The return // value is the hidden input form element that should be rendered in // the <form>. This method has a side effect: it may set a response // cookie. public TagBuilder GetFormInputElement(HttpResponseMessage response) { CheckSSLConfig(response.RequestMessage); AntiForgeryToken oldCookieToken = GetCookieTokenNoThrow(response.RequestMessage); AntiForgeryToken newCookieToken, formToken; GetTokens(response.RequestMessage, oldCookieToken, out newCookieToken, out formToken); // If a new cookie was generated, persist it. if (newCookieToken != null) { m_tokenStore.SaveCookieToken(response, newCookieToken); } if (!m_config.SuppressXFrameOptionsHeader) { // Adding X-Frame-Options header to prevent ClickJacking. See // http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-10 // for more information. const string FrameHeaderName = "X-Frame-Options"; if (!response.Headers.Contains(FrameHeaderName)) { response.Headers.Add(FrameHeaderName, "SAMEORIGIN"); } } // <input type="hidden" name="__AntiForgeryToken" value="..." /> TagBuilder retVal = new TagBuilder("input"); retVal.Attributes["type"] = "hidden"; retVal.Attributes["name"] = m_config.FormFieldName; retVal.Attributes["value"] = AntiForgeryTokenSerializer.Serialize(formToken); return(retVal); }
private string Serialize(AntiForgeryToken token) { return(token != null?AntiForgeryTokenSerializer.Serialize(token) : null); }