diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs | 40 |
1 files changed, 24 insertions, 16 deletions
diff --git a/src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs b/src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs index 8327042..d33913a 100644 --- a/src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs +++ b/src/DotNetOpenAuth.AspNet/OpenAuthSecurityManager.cs @@ -163,10 +163,12 @@ namespace DotNetOpenAuth.AspNet { // Guard against XSRF attack by injecting session id into the redirect url and response cookie. // Upon returning from the external provider, we'll compare the session id value in the query // string and the cookie. If they don't match, we'll reject the request. - string sessionId = Guid.NewGuid().ToString(); + string sessionId = Guid.NewGuid().ToString("N"); uri = uri.AttachQueryStringParameter(SessionIdQueryStringName, sessionId); - var xsrfCookie = new HttpCookie(SessionIdCookieName, sessionId); + var xsrfCookie = new HttpCookie(SessionIdCookieName, sessionId) { + HttpOnly = true + }; if (FormsAuthentication.RequireSSL) { xsrfCookie.Secure = true; } @@ -179,14 +181,6 @@ namespace DotNetOpenAuth.AspNet { /// <summary> /// Checks if user is successfully authenticated when user is redirected back to this user. /// </summary> - /// <returns>The result of the authentication.</returns> - public AuthenticationResult VerifyAuthentication() { - return VerifyAuthentication(returnUrl: null); - } - - /// <summary> - /// Checks if user is successfully authenticated when user is redirected back to this user. - /// </summary> /// <param name="returnUrl">The return Url which must match exactly the Url passed into RequestAuthentication() earlier.</param> /// <remarks> /// This returnUrl parameter only applies to OAuth2 providers. For other providers, it ignores the returnUrl parameter. @@ -196,7 +190,8 @@ namespace DotNetOpenAuth.AspNet { /// </returns> public AuthenticationResult VerifyAuthentication(string returnUrl) { // check for XSRF attack - bool successful = this.ValidateRequestAgainstXsrfAttack(); + string sessionId; + bool successful = this.ValidateRequestAgainstXsrfAttack(out sessionId); if (!successful) { return new AuthenticationResult( isSuccessful: false, @@ -222,6 +217,10 @@ namespace DotNetOpenAuth.AspNet { // the login when user is redirected back to this page uri = uri.AttachQueryStringParameter(ProviderQueryStringName, this.authenticationProvider.ProviderName); + // When we called RequestAuthentication(), we put the sessionId in the returnUrl query string. + // Hence, we need to put it in the VerifyAuthentication url again to please FB/Microsoft account providers. + uri = uri.AttachQueryStringParameter(SessionIdQueryStringName, sessionId); + try { AuthenticationResult result = oauth2Client.VerifyAuthentication(this.requestContext, uri); if (!result.IsSuccessful) { @@ -248,23 +247,32 @@ namespace DotNetOpenAuth.AspNet { /// <summary> /// Validates the request against XSRF attack. /// </summary> - /// <returns><c>true</c> if the request is safe. Otherwise, <c>false</c>.</returns> - private bool ValidateRequestAgainstXsrfAttack() { + /// <param name="sessionId">The session id embedded in the query string.</param> + /// <returns> + /// <c>true</c> if the request is safe. Otherwise, <c>false</c>. + /// </returns> + private bool ValidateRequestAgainstXsrfAttack(out string sessionId) { // get the session id query string parameter string queryStringSessionId = this.requestContext.Request.QueryString[SessionIdQueryStringName]; + // verify that the query string value is a valid guid + Guid guid; + if (!Guid.TryParse(queryStringSessionId, out guid)) { + sessionId = null; + return false; + } + // get the cookie id query string parameter var cookie = this.requestContext.Request.Cookies[SessionIdCookieName]; - bool successful = !string.IsNullOrEmpty(queryStringSessionId) && - cookie != null && - queryStringSessionId == cookie.Value; + bool successful = cookie != null && queryStringSessionId == cookie.Value; if (successful) { // be a good citizen, clean up cookie when the authentication succeeds this.requestContext.Response.Cookies.Remove(SessionIdCookieName); } + sessionId = queryStringSessionId; return successful; } |