diff options
Diffstat (limited to 'projecttemplates/WebFormsRelyingParty/Code/Utilities.cs')
| -rw-r--r-- | projecttemplates/WebFormsRelyingParty/Code/Utilities.cs | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/projecttemplates/WebFormsRelyingParty/Code/Utilities.cs b/projecttemplates/WebFormsRelyingParty/Code/Utilities.cs new file mode 100644 index 0000000..b9c9f43 --- /dev/null +++ b/projecttemplates/WebFormsRelyingParty/Code/Utilities.cs @@ -0,0 +1,66 @@ +//----------------------------------------------------------------------- +// <copyright file="Utilities.cs" company="Andrew Arnott"> +// Copyright (c) Andrew Arnott. All rights reserved. +// </copyright> +//----------------------------------------------------------------------- + +namespace WebFormsRelyingParty.Code { + using System; + using System.Collections.Generic; + using System.Linq; + using System.Security.Cryptography; + using System.Web; + + public static class Utilities { + private static readonly RandomNumberGenerator CryptoRandomDataGenerator = new RNGCryptoServiceProvider(); + + public static string ApplicationRoot { + get { + string appRoot = HttpContext.Current.Request.ApplicationPath; + if (!appRoot.EndsWith("/", StringComparison.Ordinal)) { + appRoot += "/"; + } + + return appRoot; + } + } + + public static string SetCsrfCookie() { + // Generate an unpredictable secret that goes to the user agent and must come back + // with authorization to guarantee the user interacted with this page rather than + // being scripted by an evil Consumer. + byte[] randomData = new byte[8]; + CryptoRandomDataGenerator.GetBytes(randomData); + string secret = Convert.ToBase64String(randomData); + + // Send the secret down as a cookie... + var cookie = new HttpCookie("CsrfCookie", secret) { + Path = HttpContext.Current.Request.Path, + HttpOnly = true, + Expires = DateTime.Now.AddMinutes(30), + }; + HttpContext.Current.Response.SetCookie(cookie); + + // ...and also return the secret so the caller can save it as a hidden form field. + return secret; + } + + public static void VerifyCsrfCookie(string secret) { + var cookie = HttpContext.Current.Request.Cookies["CsrfCookie"]; + if (cookie != null) { + if (cookie.Value == secret) { + // Valid CSRF check. Clear the cookie and return. + cookie.Expires = DateTime.Now.Subtract(TimeSpan.FromDays(1)); + cookie.Value = string.Empty; + if (HttpContext.Current.Request.Browser["supportsEmptyStringInCookieValue"] == "false") { + cookie.Value = "NoCookie"; + } + HttpContext.Current.Response.SetCookie(cookie); + return; + } + } + + throw new InvalidOperationException("Invalid CSRF check."); + } + } +} |