2 // System.Web.Security.FormsAuthentication
5 // Gonzalo Paniagua Javier (gonzalo@ximian.com)
7 // (C) 2002,2003 Ximian, Inc (http://www.ximian.com)
8 // Copyright (c) 2005 Novell, Inc (http://www.novell.com)
12 // Permission is hereby granted, free of charge, to any person obtaining
13 // a copy of this software and associated documentation files (the
14 // "Software"), to deal in the Software without restriction, including
15 // without limitation the rights to use, copy, modify, merge, publish,
16 // distribute, sublicense, and/or sell copies of the Software, and to
17 // permit persons to whom the Software is furnished to do so, subject to
18 // the following conditions:
20 // The above copyright notice and this permission notice shall be
21 // included in all copies or substantial portions of the Software.
23 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
27 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
28 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
29 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
32 using System.Collections;
34 using System.Security.Cryptography;
35 using System.Security.Permissions;
38 using System.Web.Configuration;
39 using System.Web.Util;
40 using System.Globalization;
42 namespace System.Web.Security
44 // CAS - no InheritanceDemand here as the class is sealed
45 [AspNetHostingPermission (SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
46 public sealed class FormsAuthentication
48 const int MD5_hash_size = 16;
49 const int SHA1_hash_size = 20;
51 static string authConfigPath = "system.web/authentication";
52 static string machineKeyConfigPath = "system.web/machineKey";
54 const string Forms_initialized = "Forms.initialized";
55 const string Forms_cookieName = "Forms.cookieName";
56 const string Forms_cookiePath = "Forms.cookiePath";
57 const string Forms_timeout = "Forms.timeout";
58 const string Forms_protection = "Forms.protection";
59 const string Forms_init_vector = "Forms.init_vector";
60 static bool initialized
63 object o = AppDomain.CurrentDomain.GetData (Forms_initialized);
64 return o != null ? (bool) o : false;
66 set { AppDomain.CurrentDomain.SetData (Forms_initialized, value); }
68 static string cookieName
70 get { return (string) AppDomain.CurrentDomain.GetData (Forms_cookieName); }
71 set { AppDomain.CurrentDomain.SetData (Forms_cookieName, value); }
73 static string cookiePath
75 get { return (string) AppDomain.CurrentDomain.GetData (Forms_cookiePath); }
76 set { AppDomain.CurrentDomain.SetData (Forms_cookiePath, value); }
81 object o = AppDomain.CurrentDomain.GetData (Forms_timeout);
82 return o != null ? (int) o : 0;
84 set { AppDomain.CurrentDomain.SetData (Forms_timeout, value); }
86 static FormsProtectionEnum protection
88 get { return (FormsProtectionEnum) AppDomain.CurrentDomain.GetData (Forms_protection); }
89 set { AppDomain.CurrentDomain.SetData (Forms_protection, value); }
91 static byte [] init_vector
93 get { return (byte []) AppDomain.CurrentDomain.GetData (Forms_init_vector); }
94 set { AppDomain.CurrentDomain.SetData (Forms_init_vector, value); }
96 static object locker = new object ();
98 static bool initialized;
99 static string cookieName;
100 static string cookiePath;
102 static FormsProtectionEnum protection;
103 static object locker = new object ();
104 static byte [] init_vector; // initialization vector used for 3DES
108 const string Forms_requireSSL = "Forms.requireSSL";
109 const string Forms_slidingExpiration = "Forms.slidingExpiration";
111 static bool requireSSL
114 object o = AppDomain.CurrentDomain.GetData (Forms_requireSSL);
115 return o != null ? (bool) o : false;
117 set { AppDomain.CurrentDomain.SetData (Forms_requireSSL, value); }
119 static bool slidingExpiration
122 object o = AppDomain.CurrentDomain.GetData (Forms_slidingExpiration);
123 return o != null ? (bool) o : false;
125 set { AppDomain.CurrentDomain.SetData (Forms_slidingExpiration, value); }
128 static bool requireSSL;
129 static bool slidingExpiration;
134 const string Forms_cookie_domain = "Forms.cookie_domain";
135 const string Forms_cookie_mode = "Forms.cookie_mode";
136 const string Forms_cookies_supported = "Forms.cookies_supported";
137 const string Forms_default_url = "Forms.default_url";
138 const string Forms_enable_crossapp_redirects = "Forms.enable_crossapp_redirects";
139 const string Forms_login_url = "Forms.login_url";
140 static string cookie_domain
142 get { return (string) AppDomain.CurrentDomain.GetData (Forms_cookie_domain); }
143 set { AppDomain.CurrentDomain.SetData (Forms_cookie_domain, value); }
145 static HttpCookieMode cookie_mode
147 get { return (HttpCookieMode) AppDomain.CurrentDomain.GetData (Forms_cookie_mode); }
148 set { AppDomain.CurrentDomain.SetData (Forms_cookie_mode, value); }
150 static bool cookies_supported
153 object o = AppDomain.CurrentDomain.GetData (Forms_cookies_supported);
154 return o != null ? (bool) o : false;
156 set { AppDomain.CurrentDomain.SetData (Forms_cookies_supported, value); }
158 static string default_url
160 get { return (string) AppDomain.CurrentDomain.GetData (Forms_default_url); }
161 set { AppDomain.CurrentDomain.SetData (Forms_default_url, value); }
163 static bool enable_crossapp_redirects
166 object o = AppDomain.CurrentDomain.GetData (Forms_enable_crossapp_redirects);
167 return o != null ? (bool) o : false;
169 set { AppDomain.CurrentDomain.SetData (Forms_enable_crossapp_redirects, value); }
171 static string login_url
173 get { return (string) AppDomain.CurrentDomain.GetData (Forms_login_url); }
174 set { AppDomain.CurrentDomain.SetData (Forms_login_url, value); }
177 static string cookie_domain;
178 static HttpCookieMode cookie_mode;
179 static bool cookies_supported;
180 static string default_url;
181 static bool enable_crossapp_redirects;
182 static string login_url;
185 // same names and order used in xsp
186 static string [] indexFiles = { "index.aspx",
192 public FormsAuthentication ()
196 public static bool Authenticate (string name, string password)
198 if (name == null || password == null)
202 HttpContext context = HttpContext.Current;
204 throw new HttpException ("Context is null!");
206 name = name.ToLower ();
208 AuthenticationSection section = (AuthenticationSection) WebConfigurationManager.GetSection (authConfigPath);
209 FormsAuthenticationCredentials config = section.Forms.Credentials;
210 FormsAuthenticationUser user = config.Users[name];
211 string stored = null;
214 stored = user.Password;
216 AuthConfig config = context.GetConfig (authConfigPath) as AuthConfig;
217 Hashtable users = config.CredentialUsers;
218 string stored = users [name] as string;
223 switch (config.PasswordFormat) {
224 case FormsAuthPasswordFormat.Clear:
227 case FormsAuthPasswordFormat.MD5:
228 password = HashPasswordForStoringInConfigFile (password, "MD5");
230 case FormsAuthPasswordFormat.SHA1:
231 password = HashPasswordForStoringInConfigFile (password, "SHA1");
235 return (password == stored);
239 static byte [] GetDecryptionKey (MachineKeySection config)
241 return MachineKeySectionUtils.DecryptionKey192Bits (config);
244 static byte [] GetDecryptionKey (MachineKeyConfig config)
246 return config.DecryptionKey192Bits;
250 static FormsAuthenticationTicket Decrypt2 (byte [] bytes)
252 if (protection == FormsProtectionEnum.None)
253 return FormsAuthenticationTicket.FromByteArray (bytes);
256 MachineKeySection config = (MachineKeySection) WebConfigurationManager.GetSection (machineKeyConfigPath);
258 MachineKeyConfig config = HttpContext.GetAppConfig (machineKeyConfigPath) as MachineKeyConfig;
260 bool all = (protection == FormsProtectionEnum.All);
262 byte [] result = bytes;
263 if (all || protection == FormsProtectionEnum.Encryption) {
264 ICryptoTransform decryptor;
265 decryptor = TripleDES.Create ().CreateDecryptor (GetDecryptionKey (config), init_vector);
266 result = decryptor.TransformFinalBlock (bytes, 0, bytes.Length);
270 if (all || protection == FormsProtectionEnum.Validation) {
272 MachineKeyValidation validationType;
275 validationType = config.Validation;
277 validationType = config.ValidationType;
279 if (validationType == MachineKeyValidation.MD5)
280 count = MD5_hash_size;
282 count = SHA1_hash_size; // 3DES and SHA1
285 byte [] vk = MachineKeySectionUtils.ValidationKeyBytes (config);
287 byte [] vk = config.ValidationKey;
289 byte [] mix = new byte [result.Length - count + vk.Length];
290 Buffer.BlockCopy (result, 0, mix, 0, result.Length - count);
291 Buffer.BlockCopy (vk, 0, mix, result.Length - count, vk.Length);
294 switch (validationType) {
295 case MachineKeyValidation.MD5:
296 hash = MD5.Create ().ComputeHash (mix);
298 // From MS docs: "When 3DES is specified, forms authentication defaults to SHA1"
299 case MachineKeyValidation.TripleDES:
300 case MachineKeyValidation.SHA1:
301 hash = SHA1.Create ().ComputeHash (mix);
305 if (result.Length < count)
306 throw new ArgumentException ("Error validating ticket (length).", "encryptedTicket");
309 for (i = result.Length - count, k = 0; k < count; i++, k++) {
310 if (result [i] != hash [k])
311 throw new ArgumentException ("Error validating ticket.", "encryptedTicket");
315 return FormsAuthenticationTicket.FromByteArray (result);
318 public static FormsAuthenticationTicket Decrypt (string encryptedTicket)
320 if (encryptedTicket == null || encryptedTicket == String.Empty)
321 throw new ArgumentException ("Invalid encrypted ticket", "encryptedTicket");
325 FormsAuthenticationTicket ticket;
327 byte [] bytes = MachineKeySectionUtils.GetBytes (encryptedTicket, encryptedTicket.Length);
329 byte [] bytes = MachineKeyConfig.GetBytes (encryptedTicket, encryptedTicket.Length);
332 ticket = Decrypt2 (bytes);
333 } catch (Exception) {
340 public static string Encrypt (FormsAuthenticationTicket ticket)
343 throw new ArgumentNullException ("ticket");
346 byte [] ticket_bytes = ticket.ToByteArray ();
347 if (protection == FormsProtectionEnum.None)
348 return GetHexString (ticket_bytes);
350 byte [] result = ticket_bytes;
352 MachineKeySection config = (MachineKeySection) WebConfigurationManager.GetSection (machineKeyConfigPath);
354 MachineKeyConfig config = HttpContext.GetAppConfig (machineKeyConfigPath) as MachineKeyConfig;
356 bool all = (protection == FormsProtectionEnum.All);
357 if (all || protection == FormsProtectionEnum.Validation) {
358 byte [] valid_bytes = null;
360 byte [] vk = MachineKeySectionUtils.ValidationKeyBytes (config);
362 byte [] vk = config.ValidationKey;
364 byte [] mix = new byte [ticket_bytes.Length + vk.Length];
365 Buffer.BlockCopy (ticket_bytes, 0, mix, 0, ticket_bytes.Length);
366 Buffer.BlockCopy (vk, 0, mix, result.Length, vk.Length);
372 config.ValidationType
375 case MachineKeyValidation.MD5:
376 valid_bytes = MD5.Create ().ComputeHash (mix);
378 // From MS docs: "When 3DES is specified, forms authentication defaults to SHA1"
379 case MachineKeyValidation.TripleDES:
380 case MachineKeyValidation.SHA1:
381 valid_bytes = SHA1.Create ().ComputeHash (mix);
385 int tlen = ticket_bytes.Length;
386 int vlen = valid_bytes.Length;
387 result = new byte [tlen + vlen];
388 Buffer.BlockCopy (ticket_bytes, 0, result, 0, tlen);
389 Buffer.BlockCopy (valid_bytes, 0, result, tlen, vlen);
392 if (all || protection == FormsProtectionEnum.Encryption) {
393 ICryptoTransform encryptor;
394 encryptor = TripleDES.Create ().CreateEncryptor (GetDecryptionKey (config), init_vector);
395 result = encryptor.TransformFinalBlock (result, 0, result.Length);
398 return GetHexString (result);
401 public static HttpCookie GetAuthCookie (string userName, bool createPersistentCookie)
403 return GetAuthCookie (userName, createPersistentCookie, null);
406 public static HttpCookie GetAuthCookie (string userName, bool createPersistentCookie, string strCookiePath)
410 if (userName == null)
411 userName = String.Empty;
413 if (strCookiePath == null || strCookiePath.Length == 0)
414 strCookiePath = cookiePath;
416 DateTime now = DateTime.Now;
418 if (createPersistentCookie)
419 then = now.AddYears (50);
421 then = now.AddMinutes (timeout);
423 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket (1,
427 createPersistentCookie,
431 if (!createPersistentCookie)
432 then = DateTime.MinValue;
434 HttpCookie cookie = new HttpCookie (cookieName, Encrypt (ticket), strCookiePath, then);
436 cookie.Secure = true;
440 internal static string ReturnUrl
442 get { return HttpContext.Current.Request ["RETURNURL"]; }
445 public static string GetRedirectUrl (string userName, bool createPersistentCookie)
447 if (userName == null)
451 HttpRequest request = HttpContext.Current.Request;
452 string returnUrl = ReturnUrl;
453 if (returnUrl != null)
456 returnUrl = request.ApplicationPath;
457 string apppath = request.PhysicalApplicationPath;
460 foreach (string indexFile in indexFiles) {
461 string filePath = Path.Combine (apppath, indexFile);
462 if (File.Exists (filePath)) {
463 returnUrl = UrlUtils.Combine (returnUrl, indexFile);
470 returnUrl = UrlUtils.Combine (returnUrl, "index.aspx");
475 static string GetHexString (byte [] bytes)
477 const int letterPart = 55;
478 const int numberPart = 48;
479 char [] result = new char [bytes.Length * 2];
480 for (int i = 0; i < bytes.Length; i++) {
481 int tmp = (int) bytes [i];
482 int second = tmp & 15;
483 int first = (tmp >> 4) & 15;
484 result [(i * 2)] = (char) (first > 9 ? letterPart + first : numberPart + first);
485 result [(i * 2) + 1] = (char) (second > 9 ? letterPart + second : numberPart + second);
487 return new string (result);
490 public static string HashPasswordForStoringInConfigFile (string password, string passwordFormat)
492 if (password == null)
493 throw new ArgumentNullException ("password");
495 if (passwordFormat == null)
496 throw new ArgumentNullException ("passwordFormat");
499 if (String.Compare (passwordFormat, "MD5", true, CultureInfo.InvariantCulture) == 0) {
500 bytes = MD5.Create ().ComputeHash (Encoding.UTF8.GetBytes (password));
501 } else if (String.Compare (passwordFormat, "SHA1", true, CultureInfo.InvariantCulture) == 0) {
502 bytes = SHA1.Create ().ComputeHash (Encoding.UTF8.GetBytes (password));
504 throw new ArgumentException ("The format must be either MD5 or SHA1", "passwordFormat");
507 return GetHexString (bytes);
510 public static void Initialize ()
520 AuthenticationSection section = (AuthenticationSection)WebConfigurationManager.GetSection (authConfigPath);
521 FormsAuthenticationConfiguration config = section.Forms;
523 cookieName = config.Name;
524 timeout = (int)config.Timeout.TotalMinutes;
525 cookiePath = config.Path;
526 protection = config.Protection;
527 requireSSL = config.RequireSSL;
528 slidingExpiration = config.SlidingExpiration;
529 cookie_domain = config.Domain;
530 cookie_mode = config.Cookieless;
531 cookies_supported = true; /* XXX ? */
532 default_url = MapUrl(config.DefaultUrl);
533 enable_crossapp_redirects = config.EnableCrossAppRedirects;
534 login_url = MapUrl(config.LoginUrl);
536 HttpContext context = HttpContext.Current;
537 AuthConfig authConfig = context.GetConfig (authConfigPath) as AuthConfig;
538 if (authConfig != null) {
539 cookieName = authConfig.CookieName;
540 timeout = authConfig.Timeout;
541 cookiePath = authConfig.CookiePath;
542 protection = authConfig.Protection;
544 requireSSL = authConfig.RequireSSL;
545 slidingExpiration = authConfig.SlidingExpiration;
548 cookieName = ".MONOAUTH";
551 protection = FormsProtectionEnum.All;
553 slidingExpiration = true;
558 // IV is 8 bytes long for 3DES
559 init_vector = new byte [8];
560 int len = cookieName.Length;
561 for (int i = 0; i < 8; i++) {
565 init_vector [i] = (byte) cookieName [i];
573 static string MapUrl (string url) {
574 if (UrlUtils.IsRelativeUrl (url))
575 return UrlUtils.Combine (HttpRuntime.AppDomainAppVirtualPath, url);
577 return UrlUtils.ResolveVirtualPathFromAppAbsolute (url);
581 public static void RedirectFromLoginPage (string userName, bool createPersistentCookie)
583 RedirectFromLoginPage (userName, createPersistentCookie, null);
586 public static void RedirectFromLoginPage (string userName, bool createPersistentCookie, string strCookiePath)
588 if (userName == null)
592 SetAuthCookie (userName, createPersistentCookie, strCookiePath);
593 Redirect (GetRedirectUrl (userName, createPersistentCookie), false);
596 public static FormsAuthenticationTicket RenewTicketIfOld (FormsAuthenticationTicket tOld)
601 DateTime now = DateTime.Now;
602 TimeSpan toIssue = now - tOld.IssueDate;
603 TimeSpan toExpiration = tOld.Expiration - now;
604 if (toExpiration > toIssue)
607 FormsAuthenticationTicket tNew = tOld.Clone ();
608 tNew.SetDates (now, now + (tOld.Expiration - tOld.IssueDate));
612 public static void SetAuthCookie (string userName, bool createPersistentCookie)
615 SetAuthCookie (userName, createPersistentCookie, cookiePath);
618 public static void SetAuthCookie (string userName, bool createPersistentCookie, string strCookiePath)
620 HttpContext context = HttpContext.Current;
622 throw new HttpException ("Context is null!");
624 HttpResponse response = context.Response;
625 if (response == null)
626 throw new HttpException ("Response is null!");
628 response.Cookies.Add (GetAuthCookie (userName, createPersistentCookie, strCookiePath));
631 public static void SignOut ()
635 HttpContext context = HttpContext.Current;
637 throw new HttpException ("Context is null!");
639 HttpResponse response = context.Response;
640 if (response == null)
641 throw new HttpException ("Response is null!");
643 HttpCookieCollection cc = response.Cookies;
644 cc.Remove (cookieName);
645 HttpCookie expiration_cookie = new HttpCookie (cookieName, "");
646 expiration_cookie.Expires = new DateTime (1999, 10, 12);
647 expiration_cookie.Path = cookiePath;
648 cc.Add (expiration_cookie);
651 Roles.DeleteCookie ();
655 public static string FormsCookieName
663 public static string FormsCookiePath
671 public static bool RequireSSL {
678 public static bool SlidingExpiration {
681 return slidingExpiration;
687 public static string CookieDomain {
688 get { Initialize (); return cookie_domain; }
691 public static HttpCookieMode CookieMode {
692 get { Initialize (); return cookie_mode; }
695 public static bool CookiesSupported {
696 get { Initialize (); return cookies_supported; }
699 public static string DefaultUrl {
700 get { Initialize (); return default_url; }
703 public static bool EnableCrossAppRedirects {
704 get { Initialize (); return enable_crossapp_redirects; }
707 public static string LoginUrl {
708 get { Initialize (); return login_url; }
711 public static void RedirectToLoginPage ()
716 [MonoTODO ("needs more tests")]
717 public static void RedirectToLoginPage (string extraQueryString)
719 // TODO: if ? is in LoginUrl (legal?), ? in query (legal?) ...
720 Redirect (LoginUrl + "?" + extraQueryString);
723 static void Redirect (string url)
725 HttpContext.Current.Response.Redirect (url);
729 static void Redirect (string url, bool end)
731 HttpContext.Current.Response.Redirect (url, end);