diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2009-03-05 21:21:38 -0800 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2009-03-05 21:21:38 -0800 |
| commit | fea8a2fe29087b8386167ab490b80bf5f10519f6 (patch) | |
| tree | 0c9858344648915d4c72317fe96d867ed58d3d8f /samples/OpenIdProviderWebForms/Code | |
| parent | 27d5edadafd755b47ab88dd1c28dfeccc81cf3f4 (diff) | |
| download | DotNetOpenAuth-fea8a2fe29087b8386167ab490b80bf5f10519f6.zip DotNetOpenAuth-fea8a2fe29087b8386167ab490b80bf5f10519f6.tar.gz DotNetOpenAuth-fea8a2fe29087b8386167ab490b80bf5f10519f6.tar.bz2 | |
response_nonces are now checked for replays by the RP against just those nonces generated by the same Provider.
Fixes Google Code Issue 175.
Diffstat (limited to 'samples/OpenIdProviderWebForms/Code')
3 files changed, 49 insertions, 18 deletions
diff --git a/samples/OpenIdProviderWebForms/Code/CustomStore.cs b/samples/OpenIdProviderWebForms/Code/CustomStore.cs index b716e8d..d8181fe 100644 --- a/samples/OpenIdProviderWebForms/Code/CustomStore.cs +++ b/samples/OpenIdProviderWebForms/Code/CustomStore.cs @@ -79,6 +79,10 @@ namespace OpenIdProviderWebForms.Code { /// <summary> /// Stores a given nonce and timestamp. /// </summary> + /// <param name="context">The context, or namespace, within which the + /// <paramref name="nonce"/> must be unique. + /// The context SHOULD be treated as case-sensitive. + /// The value will never be <c>null</c> but may be the empty string.</param> /// <param name="nonce">A series of random characters.</param> /// <param name="timestamp">The timestamp that together with the nonce string make it unique. /// The timestamp may also be used by the data store to clear out old nonces.</param> @@ -93,7 +97,7 @@ namespace OpenIdProviderWebForms.Code { /// is retrieved or set using the /// <see cref="StandardExpirationBindingElement.MaximumMessageAge"/> property. /// </remarks> - public bool StoreNonce(string nonce, DateTime timestamp) { + public bool StoreNonce(string context, string nonce, DateTime timestamp) { // IMPORTANT: If actually persisting to a database that can be reached from // different servers/instances of this class at once, it is vitally important // to protect against race condition attacks by one or more of these: @@ -106,12 +110,12 @@ namespace OpenIdProviderWebForms.Code { // and display some message to have the user try to log in again, and possibly // warn them about a replay attack. lock (this) { - if (dataSet.Nonce.FindByCode(nonce) != null) { + if (dataSet.Nonce.FindByCodeContext(nonce, context) != null) { return false; } TimeSpan maxMessageAge = DotNetOpenAuth.Configuration.DotNetOpenAuthSection.Configuration.Messaging.MaximumMessageLifetime; - dataSet.Nonce.AddNonceRow(nonce, timestamp.ToLocalTime(), (timestamp + maxMessageAge).ToLocalTime()); + dataSet.Nonce.AddNonceRow(context, nonce, timestamp.ToLocalTime(), (timestamp + maxMessageAge).ToLocalTime()); return true; } } diff --git a/samples/OpenIdProviderWebForms/Code/CustomStoreDataSet.Designer.cs b/samples/OpenIdProviderWebForms/Code/CustomStoreDataSet.Designer.cs index 4870172..d836261 100644 --- a/samples/OpenIdProviderWebForms/Code/CustomStoreDataSet.Designer.cs +++ b/samples/OpenIdProviderWebForms/Code/CustomStoreDataSet.Designer.cs @@ -570,6 +570,8 @@ namespace OpenIdProviderWebForms.Code { [global::System.Xml.Serialization.XmlSchemaProviderAttribute("GetTypedTableSchema")] public partial class NonceDataTable : global::System.Data.TypedTableBase<NonceRow> { + private global::System.Data.DataColumn columnContext; + private global::System.Data.DataColumn columnCode; private global::System.Data.DataColumn columnIssued; @@ -607,6 +609,13 @@ namespace OpenIdProviderWebForms.Code { } [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] + public global::System.Data.DataColumn ContextColumn { + get { + return this.columnContext; + } + } + + [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] public global::System.Data.DataColumn CodeColumn { get { return this.columnCode; @@ -656,9 +665,10 @@ namespace OpenIdProviderWebForms.Code { } [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] - public NonceRow AddNonceRow(string Code, System.DateTime Issued, System.DateTime Expires) { + public NonceRow AddNonceRow(string Context, string Code, System.DateTime Issued, System.DateTime Expires) { NonceRow rowNonceRow = ((NonceRow)(this.NewRow())); object[] columnValuesArray = new object[] { + Context, Code, Issued, Expires}; @@ -668,9 +678,10 @@ namespace OpenIdProviderWebForms.Code { } [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] - public NonceRow FindByCode(string Code) { + public NonceRow FindByCodeContext(string Code, string Context) { return ((NonceRow)(this.Rows.Find(new object[] { - Code}))); + Code, + Context}))); } [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] @@ -687,6 +698,7 @@ namespace OpenIdProviderWebForms.Code { [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] internal void InitVars() { + this.columnContext = base.Columns["Context"]; this.columnCode = base.Columns["Code"]; this.columnIssued = base.Columns["Issued"]; this.columnExpires = base.Columns["Expires"]; @@ -694,16 +706,19 @@ namespace OpenIdProviderWebForms.Code { [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] private void InitClass() { + this.columnContext = new global::System.Data.DataColumn("Context", typeof(string), null, global::System.Data.MappingType.Element); + base.Columns.Add(this.columnContext); this.columnCode = new global::System.Data.DataColumn("Code", typeof(string), null, global::System.Data.MappingType.Element); base.Columns.Add(this.columnCode); this.columnIssued = new global::System.Data.DataColumn("Issued", typeof(global::System.DateTime), null, global::System.Data.MappingType.Element); base.Columns.Add(this.columnIssued); this.columnExpires = new global::System.Data.DataColumn("Expires", typeof(global::System.DateTime), null, global::System.Data.MappingType.Element); base.Columns.Add(this.columnExpires); - this.Constraints.Add(new global::System.Data.UniqueConstraint("PrimaryKey", new global::System.Data.DataColumn[] { - this.columnCode}, true)); + this.Constraints.Add(new global::System.Data.UniqueConstraint("Constraint1", new global::System.Data.DataColumn[] { + this.columnCode, + this.columnContext}, true)); + this.columnContext.AllowDBNull = false; this.columnCode.AllowDBNull = false; - this.columnCode.Unique = true; this.columnIssued.AllowDBNull = false; this.columnExpires.AllowDBNull = false; } @@ -893,6 +908,16 @@ namespace OpenIdProviderWebForms.Code { } [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] + public string Context { + get { + return ((string)(this[this.tableNonce.ContextColumn])); + } + set { + this[this.tableNonce.ContextColumn] = value; + } + } + + [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] public string Code { get { return ((string)(this[this.tableNonce.CodeColumn])); diff --git a/samples/OpenIdProviderWebForms/Code/CustomStoreDataSet.xsd b/samples/OpenIdProviderWebForms/Code/CustomStoreDataSet.xsd index d796d88..295fe74 100644 --- a/samples/OpenIdProviderWebForms/Code/CustomStoreDataSet.xsd +++ b/samples/OpenIdProviderWebForms/Code/CustomStoreDataSet.xsd @@ -15,19 +15,20 @@ <xs:element name="Association" msprop:Generator_UserTableName="Association" msprop:Generator_RowDeletedName="AssociationRowDeleted" msprop:Generator_RowChangedName="AssociationRowChanged" msprop:Generator_RowClassName="AssociationRow" msprop:Generator_RowChangingName="AssociationRowChanging" msprop:Generator_RowEvArgName="AssociationRowChangeEvent" msprop:Generator_RowEvHandlerName="AssociationRowChangeEventHandler" msprop:Generator_TableClassName="AssociationDataTable" msprop:Generator_TableVarName="tableAssociation" msprop:Generator_RowDeletingName="AssociationRowDeleting" msprop:Generator_TablePropName="Association"> <xs:complexType> <xs:sequence> - <xs:element name="DistinguishingFactor" msprop:Generator_UserColumnName="DistinguishingFactor" msprop:Generator_ColumnVarNameInTable="columnDistinguishingFactor" msprop:Generator_ColumnPropNameInRow="DistinguishingFactor" msprop:Generator_ColumnPropNameInTable="DistinguishingFactorColumn" type="xs:string" /> - <xs:element name="Handle" msprop:Generator_UserColumnName="Handle" msprop:Generator_ColumnVarNameInTable="columnHandle" msprop:Generator_ColumnPropNameInRow="Handle" msprop:Generator_ColumnPropNameInTable="HandleColumn" type="xs:string" /> - <xs:element name="Expires" msprop:Generator_UserColumnName="Expires" msprop:Generator_ColumnVarNameInTable="columnExpires" msprop:Generator_ColumnPropNameInRow="Expires" msprop:Generator_ColumnPropNameInTable="ExpiresColumn" type="xs:dateTime" /> - <xs:element name="PrivateData" msprop:Generator_UserColumnName="PrivateData" msprop:Generator_ColumnVarNameInTable="columnPrivateData" msprop:Generator_ColumnPropNameInRow="PrivateData" msprop:Generator_ColumnPropNameInTable="PrivateDataColumn" type="xs:base64Binary" /> + <xs:element name="DistinguishingFactor" msprop:Generator_UserColumnName="DistinguishingFactor" msprop:Generator_ColumnPropNameInRow="DistinguishingFactor" msprop:Generator_ColumnVarNameInTable="columnDistinguishingFactor" msprop:Generator_ColumnPropNameInTable="DistinguishingFactorColumn" type="xs:string" /> + <xs:element name="Handle" msprop:Generator_UserColumnName="Handle" msprop:Generator_ColumnPropNameInRow="Handle" msprop:Generator_ColumnVarNameInTable="columnHandle" msprop:Generator_ColumnPropNameInTable="HandleColumn" type="xs:string" /> + <xs:element name="Expires" msprop:Generator_UserColumnName="Expires" msprop:Generator_ColumnPropNameInRow="Expires" msprop:Generator_ColumnVarNameInTable="columnExpires" msprop:Generator_ColumnPropNameInTable="ExpiresColumn" type="xs:dateTime" /> + <xs:element name="PrivateData" msprop:Generator_UserColumnName="PrivateData" msprop:Generator_ColumnPropNameInRow="PrivateData" msprop:Generator_ColumnVarNameInTable="columnPrivateData" msprop:Generator_ColumnPropNameInTable="PrivateDataColumn" type="xs:base64Binary" /> </xs:sequence> </xs:complexType> </xs:element> - <xs:element name="Nonce" msprop:Generator_UserTableName="Nonce" msprop:Generator_RowDeletedName="NonceRowDeleted" msprop:Generator_TableClassName="NonceDataTable" msprop:Generator_RowChangedName="NonceRowChanged" msprop:Generator_RowClassName="NonceRow" msprop:Generator_RowChangingName="NonceRowChanging" msprop:Generator_RowEvArgName="NonceRowChangeEvent" msprop:Generator_RowEvHandlerName="NonceRowChangeEventHandler" msprop:Generator_TablePropName="Nonce" msprop:Generator_TableVarName="tableNonce" msprop:Generator_RowDeletingName="NonceRowDeleting"> + <xs:element name="Nonce" msprop:Generator_UserTableName="Nonce" msprop:Generator_RowDeletedName="NonceRowDeleted" msprop:Generator_RowChangedName="NonceRowChanged" msprop:Generator_RowClassName="NonceRow" msprop:Generator_RowChangingName="NonceRowChanging" msprop:Generator_RowEvArgName="NonceRowChangeEvent" msprop:Generator_RowEvHandlerName="NonceRowChangeEventHandler" msprop:Generator_TableClassName="NonceDataTable" msprop:Generator_TableVarName="tableNonce" msprop:Generator_RowDeletingName="NonceRowDeleting" msprop:Generator_TablePropName="Nonce"> <xs:complexType> <xs:sequence> - <xs:element name="Code" msprop:Generator_UserColumnName="Code" msprop:Generator_ColumnPropNameInRow="Code" msprop:Generator_ColumnVarNameInTable="columnCode" msprop:Generator_ColumnPropNameInTable="CodeColumn" type="xs:string" /> - <xs:element name="Issued" msprop:Generator_UserColumnName="Issued" msprop:Generator_ColumnPropNameInRow="Issued" msprop:Generator_ColumnVarNameInTable="columnIssued" msprop:Generator_ColumnPropNameInTable="IssuedColumn" type="xs:dateTime" /> - <xs:element name="Expires" msprop:Generator_UserColumnName="Expires" msprop:Generator_ColumnPropNameInRow="Expires" msprop:Generator_ColumnVarNameInTable="columnExpires" msprop:Generator_ColumnPropNameInTable="ExpiresColumn" type="xs:dateTime" /> + <xs:element name="Context" msprop:Generator_UserColumnName="Context" msprop:Generator_ColumnPropNameInRow="Context" msprop:Generator_ColumnVarNameInTable="columnContext" msprop:Generator_ColumnPropNameInTable="ContextColumn" type="xs:string" /> + <xs:element name="Code" msprop:Generator_UserColumnName="Code" msprop:Generator_ColumnVarNameInTable="columnCode" msprop:Generator_ColumnPropNameInRow="Code" msprop:Generator_ColumnPropNameInTable="CodeColumn" type="xs:string" /> + <xs:element name="Issued" msprop:Generator_UserColumnName="Issued" msprop:Generator_ColumnVarNameInTable="columnIssued" msprop:Generator_ColumnPropNameInRow="Issued" msprop:Generator_ColumnPropNameInTable="IssuedColumn" type="xs:dateTime" /> + <xs:element name="Expires" msprop:Generator_UserColumnName="Expires" msprop:Generator_ColumnVarNameInTable="columnExpires" msprop:Generator_ColumnPropNameInRow="Expires" msprop:Generator_ColumnPropNameInTable="ExpiresColumn" type="xs:dateTime" /> </xs:sequence> </xs:complexType> </xs:element> @@ -38,9 +39,10 @@ <xs:field xpath="mstns:DistinguishingFactor" /> <xs:field xpath="mstns:Handle" /> </xs:unique> - <xs:unique name="Nonce_PrimaryKey" msdata:ConstraintName="PrimaryKey" msdata:PrimaryKey="true"> + <xs:unique name="Constraint1" msdata:PrimaryKey="true"> <xs:selector xpath=".//mstns:Nonce" /> <xs:field xpath="mstns:Code" /> + <xs:field xpath="mstns:Context" /> </xs:unique> </xs:element> </xs:schema>
\ No newline at end of file |