public string AntiForgeryToken(string salt, string domain, string path) { string formValue = GetAntiForgeryTokenAndSetCookie(salt, domain, path); string fieldName = AntiForgeryData.GetAntiForgeryTokenName(null); TagBuilder builder = new TagBuilder("input"); builder.Attributes["type"] = "hidden"; builder.Attributes["name"] = fieldName; builder.Attributes["value"] = formValue; return(builder.ToString(TagRenderMode.SelfClosing)); }
public void OnAuthorization(AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException("filterContext"); } string fieldName = AntiForgeryData.GetAntiForgeryTokenName(null); string cookieName = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath); HttpCookie cookie = filterContext.HttpContext.Request.Cookies[cookieName]; if (cookie == null || String.IsNullOrEmpty(cookie.Value)) { // error: cookie token is missing throw CreateValidationException(); } AntiForgeryData cookieToken = Serializer.Deserialize(cookie.Value); string formValue = filterContext.HttpContext.Request.Form[fieldName]; if (String.IsNullOrEmpty(formValue)) { // error: form token is missing throw CreateValidationException(); } AntiForgeryData formToken = Serializer.Deserialize(formValue); if (!String.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal)) { // error: form token does not match cookie token throw CreateValidationException(); } string currentUsername = AntiForgeryData.GetUsername(filterContext.HttpContext.User); if (!String.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase)) { // error: form token is not valid for this user // (don't care about cookie token) throw CreateValidationException(); } if (!ValidateFormToken(formToken)) { // error: custom validation failed throw CreateValidationException(); } }
private string GetAntiForgeryTokenAndSetCookie(string salt, string domain, string path) { string cookieName = AntiForgeryData.GetAntiForgeryTokenName(ViewContext.HttpContext.Request.ApplicationPath); AntiForgeryData cookieToken; HttpCookie cookie = ViewContext.HttpContext.Request.Cookies[cookieName]; if (cookie != null) { cookieToken = Serializer.Deserialize(cookie.Value); } else { cookieToken = AntiForgeryData.NewToken(); string cookieValue = Serializer.Serialize(cookieToken); HttpCookie newCookie = new HttpCookie(cookieName, cookieValue) { HttpOnly = true, Domain = domain }; if (!String.IsNullOrEmpty(path)) { newCookie.Path = path; } ViewContext.HttpContext.Response.Cookies.Set(newCookie); } AntiForgeryData formToken = new AntiForgeryData(cookieToken) { CreationDate = DateTime.Now, Salt = salt }; string formValue = Serializer.Serialize(formToken); return(formValue); }