private void OnLeave(object source, EventArgs eventArgs) { if (this._fOnEnterCalled) { this._fOnEnterCalled = false; } else { return; } HttpApplication application = (HttpApplication)source; HttpContext context = application.Context; if (context.Response.Cookies.GetNoCreate(FormsAuthentication.FormsCookieName) != null) { context.Response.Cache.SetCacheability(HttpCacheability.NoCache, "Set-Cookie"); } if (context.Response.StatusCode == 0x191) { string rawUrl = context.Request.RawUrl; if ((rawUrl.IndexOf("?ReturnUrl=", StringComparison.Ordinal) == -1) && (rawUrl.IndexOf("&ReturnUrl=", StringComparison.Ordinal) == -1)) { string str3; string strUrl = null; if (!string.IsNullOrEmpty(FormsAuthentication.LoginUrl)) { strUrl = AuthenticationConfig.GetCompleteLoginUrl(context, FormsAuthentication.LoginUrl); } if ((strUrl == null) || (strUrl.Length <= 0)) { throw new HttpException(System.Web.SR.GetString("Auth_Invalid_Login_Url")); } CookielessHelperClass cookielessHelper = context.CookielessHelper; if (strUrl.IndexOf('?') >= 0) { str3 = FormsAuthentication.RemoveQueryStringVariableFromUrl(strUrl, "ReturnUrl") + "&ReturnUrl=" + HttpUtility.UrlEncode(rawUrl, context.Request.ContentEncoding); } else { str3 = strUrl + "?ReturnUrl=" + HttpUtility.UrlEncode(rawUrl, context.Request.ContentEncoding); } int index = rawUrl.IndexOf('?'); if ((index >= 0) && (index < (rawUrl.Length - 1))) { str3 = str3 + "&" + rawUrl.Substring(index + 1); } cookielessHelper.SetCookieValue('F', null); cookielessHelper.RedirectWithDetectionIfRequired(str3, FormsAuthentication.CookieMode); context.Response.Redirect(str3, false); } } }
//////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////// // Private method for decrypting a cookie private static FormsAuthenticationTicket ExtractTicketFromCookie(HttpContext context, String name, out bool cookielessTicket) { FormsAuthenticationTicket ticket = null; string encValue = null; bool ticketExpired = false; bool badTicket = false; try { try { //////////////////////////////////////////////////////////// // Step 0: Check if we should use cookieless cookielessTicket = CookielessHelperClass.UseCookieless(context, false, FormsAuthentication.CookieMode); //////////////////////////////////////////////////////////// // Step 1: Check URI/cookie for ticket if (cookielessTicket) { encValue = context.CookielessHelper.GetCookieValue('F'); } else { HttpCookie cookie = context.Request.Cookies[name]; if (cookie != null) { encValue = cookie.Value; } } //////////////////////////////////////////////////////////// // Step 2: Decrypt encrypted ticket if (encValue != null && encValue.Length > 1) { try { ticket = FormsAuthentication.Decrypt(encValue); } catch { if (cookielessTicket) { context.CookielessHelper.SetCookieValue('F', null); } else { context.Request.Cookies.Remove(name); } badTicket = true; //throw; } if (ticket == null) { badTicket = true; } if (ticket != null && !ticket.Expired) { if (cookielessTicket || !FormsAuthentication.RequireSSL || context.Request.IsSecureConnection) // Make sure it is NOT a secure cookie over an in-secure connection { return(ticket); // Found valid ticket } } if (ticket != null && ticket.Expired) { ticketExpired = true; } // Step 2b: Remove expired/bad ticket ticket = null; if (cookielessTicket) { context.CookielessHelper.SetCookieValue('F', null); } else { context.Request.Cookies.Remove(name); } } //////////////////////////////////////////////////////////// // Step 3: Look in QueryString if (FormsAuthentication.EnableCrossAppRedirects) { encValue = context.Request.QueryString[name]; if (encValue != null && encValue.Length > 1) { if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect) { cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode); // find out for sure } try { ticket = FormsAuthentication.Decrypt(encValue); } catch { badTicket = true; //throw; } if (ticket == null) { badTicket = true; } } // Step 3b: Look elsewhere in the request (i.e. posted body) if (ticket == null || ticket.Expired) { encValue = context.Request.Form[name]; if (encValue != null && encValue.Length > 1) { if (!cookielessTicket && FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect) { cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode); // find out for sure } try { ticket = FormsAuthentication.Decrypt(encValue); } catch { badTicket = true; //throw; } if (ticket == null) { badTicket = true; } } } } if (ticket == null || ticket.Expired) { if (ticket != null && ticket.Expired) { ticketExpired = true; } return(null); // not found! Exit with null } if (FormsAuthentication.RequireSSL && !context.Request.IsSecureConnection) // Bad scenario: valid ticket over non-SSL { throw new HttpException(SR.GetString(SR.Connection_not_secure_creating_secure_cookie)); } //////////////////////////////////////////////////////////// // Step 4: Create the cookie/URI value if (cookielessTicket) { if (ticket.CookiePath != "/") { FormsAuthenticationTicket tempTicket = FormsAuthenticationTicket.FromUtc(ticket.Version, ticket.Name, ticket.IssueDateUtc, ticket.ExpirationUtc, ticket.IsPersistent, ticket.UserData, "/"); ticket = tempTicket; encValue = FormsAuthentication.Encrypt(ticket); } context.CookielessHelper.SetCookieValue('F', encValue); string strUrl = FormsAuthentication.RemoveQueryStringVariableFromUrl(context.Request.RawUrl, name); context.Response.Redirect(strUrl); } else { HttpCookie cookie = new HttpCookie(name, encValue); cookie.HttpOnly = true; cookie.Path = ticket.CookiePath; if (ticket.IsPersistent) { cookie.Expires = ticket.Expiration; } cookie.Secure = FormsAuthentication.RequireSSL; if (FormsAuthentication.CookieDomain != null) { cookie.Domain = FormsAuthentication.CookieDomain; } context.Response.Cookies.Remove(cookie.Name); context.Response.Cookies.Add(cookie); } return(ticket); } finally { if (badTicket) { WebBaseEvent.RaiseSystemEvent(null, WebEventCodes.AuditFormsAuthenticationFailure, WebEventCodes.InvalidTicketFailure); } else if (ticketExpired) { WebBaseEvent.RaiseSystemEvent(null, WebEventCodes.AuditFormsAuthenticationFailure, WebEventCodes.ExpiredTicketFailure); } } } catch { throw; } }
//////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////// /// <devdoc> /// <para>[To be supplied.]</para> /// </devdoc> private void OnLeave(Object source, EventArgs eventArgs) { if (_fOnEnterCalled) { _fOnEnterCalled = false; } else { return; // no need to continue if we skipped OnEnter } HttpApplication app; HttpContext context; app = (HttpApplication)source; context = app.Context; //////////////////////////////////////////////////////////// // Step 1: Check if we are using cookie authentication and // if authentication failed if (context.Response.StatusCode != 401) { return; } //////////////////////////////////////////////////////////// // Change 401 to a redirect to login page // Don't do it if the redirect is suppressed for this response if (context.Response.SuppressFormsAuthenticationRedirect) { return; } // Don't do it if already there is ReturnUrl, already being redirected, // to avoid infinite redirection loop String strUrl = context.Request.RawUrl; if (strUrl.IndexOf("?" + FormsAuthentication.ReturnUrlVar + "=", StringComparison.Ordinal) != -1 || strUrl.IndexOf("&" + FormsAuthentication.ReturnUrlVar + "=", StringComparison.Ordinal) != -1) { return; } //////////////////////////////////////////////////////////// // Step 2: Get the complete url to the login-page String loginUrl = null; if (!String.IsNullOrEmpty(FormsAuthentication.LoginUrl)) { loginUrl = AuthenticationConfig.GetCompleteLoginUrl(context, FormsAuthentication.LoginUrl); } //////////////////////////////////////////////////////////// // Step 3: Check if we have a valid url to the login-page if (loginUrl == null || loginUrl.Length <= 0) { throw new HttpException(SR.GetString(SR.Auth_Invalid_Login_Url)); } //////////////////////////////////////////////////////////// // Step 4: Construct the redirect-to url String strRedirect; int iIndex; CookielessHelperClass cookielessHelper; // if(context.Request.Browser["isMobileDevice"] == "true") { // //__redir=1 is marker for devices that post on redirect // if(strUrl.IndexOf("__redir=1") >= 0) { // strUrl = SanitizeUrlForCookieless(strUrl); // } // else { // if(strUrl.IndexOf('?') >= 0) // strSep = "&"; // else // strSep = "?"; // strUrl = SanitizeUrlForCookieless(strUrl + strSep + "__redir=1"); // } // } // Create the CookielessHelper class to rewrite the path, if needed. cookielessHelper = context.CookielessHelper; if (loginUrl.IndexOf('?') >= 0) { loginUrl = FormsAuthentication.RemoveQueryStringVariableFromUrl(loginUrl, FormsAuthentication.ReturnUrlVar); strRedirect = loginUrl + "&" + FormsAuthentication.ReturnUrlVar + "=" + HttpUtility.UrlEncode(strUrl, context.Request.ContentEncoding); } else { strRedirect = loginUrl + "?" + FormsAuthentication.ReturnUrlVar + "=" + HttpUtility.UrlEncode(strUrl, context.Request.ContentEncoding); } //////////////////////////////////////////////////////////// // Step 5: Add the query-string from the current url iIndex = strUrl.IndexOf('?'); if (iIndex >= 0 && iIndex < strUrl.Length - 1) { strRedirect += "&" + strUrl.Substring(iIndex + 1); } cookielessHelper.SetCookieValue('F', null); // remove old ticket if present cookielessHelper.RedirectWithDetectionIfRequired(strRedirect, FormsAuthentication.CookieMode); //////////////////////////////////////////////////////////// // Step 6: Do the redirect context.Response.Redirect(strRedirect, false); }
private static FormsAuthenticationTicket ExtractTicketFromCookie(HttpContext context, string name, out bool cookielessTicket) { FormsAuthenticationTicket ticket = null; string encryptedTicket = null; FormsAuthenticationTicket ticket2; bool flag = false; bool flag2 = false; try { try { cookielessTicket = CookielessHelperClass.UseCookieless(context, false, FormsAuthentication.CookieMode); if (cookielessTicket) { encryptedTicket = context.CookielessHelper.GetCookieValue('F'); } else { HttpCookie cookie = context.Request.Cookies[name]; if (cookie != null) { encryptedTicket = cookie.Value; } } if ((encryptedTicket != null) && (encryptedTicket.Length > 1)) { try { ticket = FormsAuthentication.Decrypt(encryptedTicket); } catch { if (cookielessTicket) { context.CookielessHelper.SetCookieValue('F', null); } else { context.Request.Cookies.Remove(name); } flag2 = true; } if (ticket == null) { flag2 = true; } if (((ticket != null) && !ticket.Expired) && ((cookielessTicket || !FormsAuthentication.RequireSSL) || context.Request.IsSecureConnection)) { return(ticket); } if ((ticket != null) && ticket.Expired) { flag = true; } ticket = null; if (cookielessTicket) { context.CookielessHelper.SetCookieValue('F', null); } else { context.Request.Cookies.Remove(name); } } if (FormsAuthentication.EnableCrossAppRedirects) { encryptedTicket = context.Request.QueryString[name]; if ((encryptedTicket != null) && (encryptedTicket.Length > 1)) { if (!cookielessTicket && (FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect)) { cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode); } try { ticket = FormsAuthentication.Decrypt(encryptedTicket); } catch { flag2 = true; } if (ticket == null) { flag2 = true; } } if ((ticket == null) || ticket.Expired) { encryptedTicket = context.Request.Form[name]; if ((encryptedTicket != null) && (encryptedTicket.Length > 1)) { if (!cookielessTicket && (FormsAuthentication.CookieMode == HttpCookieMode.AutoDetect)) { cookielessTicket = CookielessHelperClass.UseCookieless(context, true, FormsAuthentication.CookieMode); } try { ticket = FormsAuthentication.Decrypt(encryptedTicket); } catch { flag2 = true; } if (ticket == null) { flag2 = true; } } } } if ((ticket == null) || ticket.Expired) { if ((ticket != null) && ticket.Expired) { flag = true; } return(null); } if (FormsAuthentication.RequireSSL && !context.Request.IsSecureConnection) { throw new HttpException(System.Web.SR.GetString("Connection_not_secure_creating_secure_cookie")); } if (cookielessTicket) { if (ticket.CookiePath != "/") { ticket = FormsAuthenticationTicket.FromUtc(ticket.Version, ticket.Name, ticket.IssueDateUtc, ticket.ExpirationUtc, ticket.IsPersistent, ticket.UserData, "/"); encryptedTicket = FormsAuthentication.Encrypt(ticket); } context.CookielessHelper.SetCookieValue('F', encryptedTicket); string url = FormsAuthentication.RemoveQueryStringVariableFromUrl(context.Request.RawUrl, name); context.Response.Redirect(url); } else { HttpCookie cookie2 = new HttpCookie(name, encryptedTicket) { HttpOnly = true, Path = ticket.CookiePath }; if (ticket.IsPersistent) { cookie2.Expires = ticket.Expiration; } cookie2.Secure = FormsAuthentication.RequireSSL; if (FormsAuthentication.CookieDomain != null) { cookie2.Domain = FormsAuthentication.CookieDomain; } context.Response.Cookies.Remove(cookie2.Name); context.Response.Cookies.Add(cookie2); } ticket2 = ticket; } finally { if (flag2) { WebBaseEvent.RaiseSystemEvent(null, 0xfa5, 0xc419); } else if (flag) { WebBaseEvent.RaiseSystemEvent(null, 0xfa5, 0xc41a); } } } catch { throw; } return(ticket2); }