Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Refactored OnAuthenticateRequest

  • Loading branch information...
commit 2883a49c371beb8908f83a2e0807a0f39d8f4fe4 1 parent fdc18b1
Mehrdad Afshari mehrdada authored
Showing with 33 additions and 24 deletions.
  1. +33 −24 AppHarbor.Web.Security/CookieAuthenticationModule.cs
57 AppHarbor.Web.Security/CookieAuthenticationModule.cs
View
@@ -24,33 +24,16 @@ private void OnAuthenticateRequest(object sender, EventArgs e)
var cookie = context.Request.Cookies[_configuration.CookieName];
if (cookie != null)
{
+ var protector = new CookieProtector(_configuration);
try
{
- using (var protector = new CookieProtector(_configuration))
+ byte[] data;
+ var cookieData = protector.Validate(cookie.Value, out data);
+ var authenticationCookie = AuthenticationCookie.Deserialize(data);
+ if (!authenticationCookie.IsExpired(_configuration.Timeout))
{
- byte[] data;
- var cookieData = protector.Validate(cookie.Value, out data);
- var authenticationCookie = AuthenticationCookie.Deserialize(data);
- if (!authenticationCookie.IsExpired(_configuration.Timeout))
- {
- context.User = authenticationCookie.GetPrincipal();
-
- if (_configuration.SlidingExpiration && authenticationCookie.IsExpired(TimeSpan.FromTicks(_configuration.Timeout.Ticks / 2)))
- {
- authenticationCookie.Renew();
- context.Response.Cookies.Remove(_configuration.CookieName);
- var newCookie = new HttpCookie(_configuration.CookieName, protector.Protect(authenticationCookie.Serialize()))
- {
- HttpOnly = true,
- Secure = _configuration.RequireSSL,
- };
- if (!authenticationCookie.Persistent)
- {
- newCookie.Expires = authenticationCookie.IssueDate + _configuration.Timeout;
- }
- context.Response.Cookies.Add(newCookie);
- }
- }
+ context.User = authenticationCookie.GetPrincipal();
+ RenewCookieIfExpiring(context, protector, authenticationCookie);
}
}
catch
@@ -58,6 +41,13 @@ private void OnAuthenticateRequest(object sender, EventArgs e)
// do not leak any information if an exception was thrown.
// simply don't set the context.User property.
}
+ finally
+ {
+ if (protector != null)
+ {
+ protector.Dispose();
+ }
+ }
}
if (IsLoginPage(context.Request))
@@ -66,6 +56,25 @@ private void OnAuthenticateRequest(object sender, EventArgs e)
}
}
+ private void RenewCookieIfExpiring(HttpContext context, CookieProtector protector, AuthenticationCookie authenticationCookie)
+ {
+ if (_configuration.SlidingExpiration && authenticationCookie.IsExpired(TimeSpan.FromTicks(_configuration.Timeout.Ticks / 2)))
+ {
+ authenticationCookie.Renew();
+ context.Response.Cookies.Remove(_configuration.CookieName);
+ var newCookie = new HttpCookie(_configuration.CookieName, protector.Protect(authenticationCookie.Serialize()))
+ {
+ HttpOnly = true,
+ Secure = _configuration.RequireSSL,
+ };
+ if (!authenticationCookie.Persistent)
+ {
+ newCookie.Expires = authenticationCookie.IssueDate + _configuration.Timeout;
+ }
+ context.Response.Cookies.Add(newCookie);
+ }
+ }
+
private bool IsLoginPage(HttpRequest request)
{
try
Please sign in to comment.
Something went wrong with that request. Please try again.