diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2013-03-19 21:48:49 -0700 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2013-03-19 21:48:49 -0700 |
| commit | b117db5327ee30aae7d2ec8e9172dca85e933848 (patch) | |
| tree | 622375c2d4ac3be8b5ed8823daebc6d2c0c3afc4 /src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs | |
| parent | 2eb59292e2a2f22866d95684606334845d8997e5 (diff) | |
| download | DotNetOpenAuth-b117db5327ee30aae7d2ec8e9172dca85e933848.zip DotNetOpenAuth-b117db5327ee30aae7d2ec8e9172dca85e933848.tar.gz DotNetOpenAuth-b117db5327ee30aae7d2ec8e9172dca85e933848.tar.bz2 | |
Fixes the rest of the build breaks!
Diffstat (limited to 'src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs')
| -rw-r--r-- | src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs b/src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs index 4e9011a..5560fd5 100644 --- a/src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs +++ b/src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs @@ -11,6 +11,7 @@ namespace DotNetOpenAuth.OAuth2 { using System.Linq; using System.Net; using System.Net.Http; + using System.Net.Http.Headers; using System.Text; using System.Threading; using System.Threading.Tasks; @@ -104,23 +105,18 @@ namespace DotNetOpenAuth.OAuth2 { // Mitigate XSRF attacks by including a state value that would be unpredictable between users, but // verifiable for the same user/session. // If the host is implementing the authorization tracker though, they're handling this protection themselves. - Cookie cookie = null; + var cookies = new List<CookieHeaderValue>(); if (this.AuthorizationTracker == null) { - var context = this.Channel.GetHttpContext(); - string xsrfKey = MessagingUtilities.GetNonCryptoRandomDataAsBase64(16); - cookie = new Cookie(XsrfCookieName, xsrfKey) { + cookies.Add(new CookieHeaderValue(XsrfCookieName, xsrfKey) { HttpOnly = true, Secure = FormsAuthentication.RequireSSL, - ////Expires = DateTime.Now.Add(OAuth2ClientSection.Configuration.MaxAuthorizationTime), // we prefer session cookies to persistent ones - }; + }); request.ClientState = xsrfKey; } var response = await this.Channel.PrepareResponseAsync(request, cancellationToken); - if (cookie != null) { - response.Headers.SetCookie(cookie); - } + response.Headers.AddCookies(cookies); return response; } @@ -156,8 +152,11 @@ namespace DotNetOpenAuth.OAuth2 { authorizationState = this.AuthorizationTracker.GetAuthorizationState(callback, response.ClientState); ErrorUtilities.VerifyProtocol(authorizationState != null, ClientStrings.AuthorizationResponseUnexpectedMismatch); } else { - HttpCookie cookie = request.Headers.Cookies[XsrfCookieName]; - ErrorUtilities.VerifyProtocol(cookie != null && string.Equals(response.ClientState, cookie.Value, StringComparison.Ordinal), ClientStrings.AuthorizationResponseUnexpectedMismatch); + var xsrfCookieValue = (from cookieHeader in request.Headers.GetCookies() + from cookie in cookieHeader.Cookies + where cookie.Name == XsrfCookieName + select cookie.Value).FirstOrDefault(); + ErrorUtilities.VerifyProtocol(xsrfCookieValue != null && string.Equals(response.ClientState, xsrfCookieValue, StringComparison.Ordinal), ClientStrings.AuthorizationResponseUnexpectedMismatch); authorizationState = new AuthorizationState { Callback = callback }; } var success = response as EndUserAuthorizationSuccessAuthCodeResponse; |