/// <summary>Validates the tokens.</summary> /// /// <exception cref="HttpAntiForgeryException"> Thrown when a Create Cookie Missing error condition occurs.</exception> /// <exception cref="HttpAntiForgeryException"> Thrown when a Create Form Field Missing error condition occurs.</exception> /// <exception cref="HttpAntiForgeryException"> Thrown when a Create Tokens Swapped error condition occurs.</exception> /// <exception cref="HttpAntiForgeryException"> Thrown when a Create Security Token Mismatch error condition occurs.</exception> /// <exception cref="HttpAntiForgeryException"> Thrown when a Create Username Mismatch error condition occurs.</exception> /// <exception cref="HttpAntiForgeryException"> Thrown when a Create Claim UID Mismatch error condition occurs.</exception> /// <exception cref="HttpAntiForgeryException">Thrown when a Create Additional Data Check Failed error condition occurs.</exception> /// /// <param name="httpContext"> Context for the HTTP.</param> /// <param name="identity"> The identity.</param> /// <param name="sessionToken">The session token.</param> /// <param name="fieldToken"> The field token.</param> public void ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken) { // Were the tokens even present at all? if (sessionToken == null) { throw HttpAntiForgeryException.CreateCookieMissingException(_config.CookieName); } if (fieldToken == null) { throw HttpAntiForgeryException.CreateFormFieldMissingException(_config.FormFieldName); } // Do the tokens have the correct format? if (!sessionToken.IsSessionToken || fieldToken.IsSessionToken) { throw HttpAntiForgeryException.CreateTokensSwappedException(_config.CookieName, _config.FormFieldName); } // Are the security tokens embedded in each incoming token identical? if (!Equals(sessionToken.SecurityToken, fieldToken.SecurityToken)) { throw HttpAntiForgeryException.CreateSecurityTokenMismatchException(); } // Is the incoming token meant for the current user? string currentUsername = String.Empty; BinaryBlob currentClaimUid = null; if (identity != null && identity.IsAuthenticated) { currentClaimUid = _claimUidExtractor.ExtractClaimUid(identity); if (currentClaimUid == null) { currentUsername = identity.Name ?? String.Empty; } } // OpenID and other similar authentication schemes use URIs for the username. // These should be treated as case-sensitive. bool useCaseSensitiveUsernameComparison = currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) || currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase); if (!String.Equals(fieldToken.Username, currentUsername, (useCaseSensitiveUsernameComparison) ? StringComparison.Ordinal : StringComparison.OrdinalIgnoreCase)) { throw HttpAntiForgeryException.CreateUsernameMismatchException(fieldToken.Username, currentUsername); } if (!Equals(fieldToken.ClaimUid, currentClaimUid)) { throw HttpAntiForgeryException.CreateClaimUidMismatchException(); } // Is the AdditionalData valid? if (_config.AdditionalDataProvider != null && !_config.AdditionalDataProvider.ValidateAdditionalData(httpContext, fieldToken.AdditionalData)) { throw HttpAntiForgeryException.CreateAdditionalDataCheckFailedException(); } }
/// <summary>true this object to the given stream.</summary> /// /// <exception>Thrown when a Create Deserialization Failed error condition occurs.</exception> /// /// <param name="serializedToken">The serialized token.</param> /// /// <returns>An AntiForgeryToken.</returns> public AntiForgeryToken Deserialize(string serializedToken) { try { using (MemoryStream stream = new MemoryStream(_cryptoSystem.Unprotect(serializedToken))) { using (BinaryReader reader = new BinaryReader(stream)) { AntiForgeryToken token = DeserializeImpl(reader); if (token != null) { return(token); } } } } catch { // swallow all exceptions - homogenize error if something went wrong } // if we reached this point, something went wrong deserializing throw HttpAntiForgeryException.CreateDeserializationFailedException(); }