// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
+using System.ComponentModel;
+using System.Globalization;
using System.Security.Permissions;
using System.Security.Principal;
using System.Text;
[AspNetHostingPermission (SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
public sealed class FormsAuthenticationModule : IHttpModule
{
+ static readonly object authenticateEvent = new object ();
+
+#if NET_2_0
+ AuthenticationSection _config = null;
+#else
+ AuthConfig _config = null;
+#endif
+ bool isConfigInitialized = false;
+ EventHandlerList events = new EventHandlerList ();
+
+ public event FormsAuthenticationEventHandler Authenticate {
+ add { events.AddHandler (authenticateEvent, value); }
+ remove { events.RemoveHandler (authenticateEvent, value); }
+ }
+
+ void InitConfig (HttpContext context)
+ {
+ if(isConfigInitialized)
+ return;
+#if NET_2_0
+ _config = (AuthenticationSection) WebConfigurationManager.GetSection ("system.web/authentication");
+#else
+ _config = (AuthConfig) context.GetConfig ("system.web/authentication");
+#endif
+ isConfigInitialized = true;
+ }
+
[SecurityPermission (SecurityAction.Demand, UnmanagedCode = true)]
public FormsAuthenticationModule ()
{
string loginPage;
bool slidingExpiration;
-#if CONFIGURATION_2_0
- AuthenticationSection config = (AuthenticationSection) WebConfigurationManager.GetWebApplicationSection ("system.web/authentication");
-#else
- AuthConfig config = (AuthConfig) context.GetConfig ("system.web/authentication");
-#endif
-
- if (config == null || config.Mode != AuthenticationMode.Forms) {
+ InitConfig (context);
+ if (_config == null || _config.Mode != AuthenticationMode.Forms) {
return;
}
-#if CONFIGURATION_2_0
- cookieName = config.Forms.Name;
- cookiePath = config.Forms.Path;
- loginPage = config.Forms.LoginUrl;
- slidingExpiration = config.Forms.SlidingExpiration;
+#if NET_2_0
+ cookieName = _config.Forms.Name;
+ cookiePath = _config.Forms.Path;
+ loginPage = _config.Forms.LoginUrl;
+ slidingExpiration = _config.Forms.SlidingExpiration;
#else
- cookieName = config.CookieName;
- cookiePath = config.CookiePath;
- loginPage = config.LoginUrl;
- slidingExpiration = config.SlidingExpiration;
+ cookieName = _config.CookieName;
+ cookiePath = _config.CookiePath;
+ loginPage = _config.LoginUrl;
+ slidingExpiration = _config.SlidingExpiration;
#endif
- string reqPath = "";
+ if (!VirtualPathUtility.IsRooted (loginPage))
+ loginPage = "~/" + loginPage;
+
+ string reqPath = String.Empty;
string loginPath = null;
try {
reqPath = context.Request.PhysicalPath;
loginPath = context.Request.MapPath (loginPage);
} catch {} // ignore
- context.SkipAuthorization = (reqPath == loginPath);
+ context.SkipAuthorization = String.Compare (reqPath, loginPath, RuntimeHelpers.CaseInsensitive, Helpers.InvariantCulture) == 0;
+#if NET_2_0
+ //TODO: need to check that the handler is System.Web.Handlers.AssemblyResourceLoader type
+ string filePath = context.Request.FilePath;
+ if (filePath.Length > 15 && String.CompareOrdinal ("WebResource.axd", 0, filePath, filePath.Length - 15, 15) == 0)
+ context.SkipAuthorization = true;
+#endif
+
FormsAuthenticationEventArgs formArgs = new FormsAuthenticationEventArgs (context);
- if (Authenticate != null)
- Authenticate (this, formArgs);
+ FormsAuthenticationEventHandler eh = events [authenticateEvent] as FormsAuthenticationEventHandler;
+ if (eh != null)
+ eh (this, formArgs);
bool contextUserNull = (context.User == null);
if (formArgs.User != null || !contextUserNull) {
if (cookie == null || (cookie.Expires != DateTime.MinValue && cookie.Expires < DateTime.Now))
return;
- FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt (cookie.Value);
- if (ticket == null || (ticket.IsPersistent && ticket.Expired))
+ FormsAuthenticationTicket ticket = null;
+ try {
+ ticket = FormsAuthentication.Decrypt (cookie.Value);
+ }
+ catch (ArgumentException) {
+ // incorrect cookie value, suppress the exception
+ return;
+ }
+ if (ticket == null || (!ticket.IsPersistent && ticket.Expired))
return;
FormsAuthenticationTicket oldticket = ticket;
return;
string loginPage;
-#if CONFIGURATION_2_0
- AuthenticationSection config = (AuthenticationSection) WebConfigurationManager.GetWebApplicationSection ("system.web/authentication");
- loginPage = config.Forms.LoginUrl;
+ InitConfig (context);
+#if NET_2_0
+ loginPage = _config.Forms.LoginUrl;
#else
- AuthConfig config = (AuthConfig) context.GetConfig ("system.web/authentication");
- loginPage = config.LoginUrl;
+ loginPage = _config.LoginUrl;
#endif
- if (config == null || config.Mode != AuthenticationMode.Forms)
+ if (_config == null || _config.Mode != AuthenticationMode.Forms)
return;
StringBuilder login = new StringBuilder ();
login.Append (UrlUtils.Combine (context.Request.ApplicationPath, loginPage));
login.AppendFormat ("?ReturnUrl={0}", HttpUtility.UrlEncode (context.Request.RawUrl));
- context.Response.Redirect (login.ToString ());
+ context.Response.Redirect (login.ToString (), false);
}
-
- public event FormsAuthenticationEventHandler Authenticate;
}
}