summaryrefslogtreecommitdiffstats
path: root/src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs
diff options
context:
space:
mode:
Diffstat (limited to 'src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs')
-rw-r--r--src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs40
1 files changed, 24 insertions, 16 deletions
diff --git a/src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs b/src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs
index 8327042..d33913a 100644
--- a/src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs
+++ b/src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs
@@ -163,10 +163,12 @@ namespace DotNetOpenAuth.AspNet {
// Guard against XSRF attack by injecting session id into the redirect url and response cookie.
// Upon returning from the external provider, we'll compare the session id value in the query
// string and the cookie. If they don't match, we'll reject the request.
- string sessionId = Guid.NewGuid().ToString();
+ string sessionId = Guid.NewGuid().ToString("N");
uri = uri.AttachQueryStringParameter(SessionIdQueryStringName, sessionId);
- var xsrfCookie = new HttpCookie(SessionIdCookieName, sessionId);
+ var xsrfCookie = new HttpCookie(SessionIdCookieName, sessionId) {
+ HttpOnly = true
+ };
if (FormsAuthentication.RequireSSL) {
xsrfCookie.Secure = true;
}
@@ -179,14 +181,6 @@ namespace DotNetOpenAuth.AspNet {
/// <summary>
/// Checks if user is successfully authenticated when user is redirected back to this user.
/// </summary>
- /// <returns>The result of the authentication.</returns>
- public AuthenticationResult VerifyAuthentication() {
- return VerifyAuthentication(returnUrl: null);
- }
-
- /// <summary>
- /// Checks if user is successfully authenticated when user is redirected back to this user.
- /// </summary>
/// <param name="returnUrl">The return Url which must match exactly the Url passed into RequestAuthentication() earlier.</param>
/// <remarks>
/// This returnUrl parameter only applies to OAuth2 providers. For other providers, it ignores the returnUrl parameter.
@@ -196,7 +190,8 @@ namespace DotNetOpenAuth.AspNet {
/// </returns>
public AuthenticationResult VerifyAuthentication(string returnUrl) {
// check for XSRF attack
- bool successful = this.ValidateRequestAgainstXsrfAttack();
+ string sessionId;
+ bool successful = this.ValidateRequestAgainstXsrfAttack(out sessionId);
if (!successful) {
return new AuthenticationResult(
isSuccessful: false,
@@ -222,6 +217,10 @@ namespace DotNetOpenAuth.AspNet {
// the login when user is redirected back to this page
uri = uri.AttachQueryStringParameter(ProviderQueryStringName, this.authenticationProvider.ProviderName);
+ // When we called RequestAuthentication(), we put the sessionId in the returnUrl query string.
+ // Hence, we need to put it in the VerifyAuthentication url again to please FB/Microsoft account providers.
+ uri = uri.AttachQueryStringParameter(SessionIdQueryStringName, sessionId);
+
try {
AuthenticationResult result = oauth2Client.VerifyAuthentication(this.requestContext, uri);
if (!result.IsSuccessful) {
@@ -248,23 +247,32 @@ namespace DotNetOpenAuth.AspNet {
/// <summary>
/// Validates the request against XSRF attack.
/// </summary>
- /// <returns><c>true</c> if the request is safe. Otherwise, <c>false</c>.</returns>
- private bool ValidateRequestAgainstXsrfAttack() {
+ /// <param name="sessionId">The session id embedded in the query string.</param>
+ /// <returns>
+ /// <c>true</c> if the request is safe. Otherwise, <c>false</c>.
+ /// </returns>
+ private bool ValidateRequestAgainstXsrfAttack(out string sessionId) {
// get the session id query string parameter
string queryStringSessionId = this.requestContext.Request.QueryString[SessionIdQueryStringName];
+ // verify that the query string value is a valid guid
+ Guid guid;
+ if (!Guid.TryParse(queryStringSessionId, out guid)) {
+ sessionId = null;
+ return false;
+ }
+
// get the cookie id query string parameter
var cookie = this.requestContext.Request.Cookies[SessionIdCookieName];
- bool successful = !string.IsNullOrEmpty(queryStringSessionId) &&
- cookie != null &&
- queryStringSessionId == cookie.Value;
+ bool successful = cookie != null && queryStringSessionId == cookie.Value;
if (successful) {
// be a good citizen, clean up cookie when the authentication succeeds
this.requestContext.Response.Cookies.Remove(SessionIdCookieName);
}
+ sessionId = queryStringSessionId;
return successful;
}
generated by cgit v1.1 at 2025-05-21 13:22:03 +0000