#105 Use DataProtection to encrypt the cookie

samples/SessionSample/Properties/launchSettings.json

@@ -15,10 +15,12 @@
         "Hosting:Environment": "Development"
       }
     },
-    "web": {
-      "commandName": "web",
+    "SessionSample": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "launchUrl": "http://localhost:5000/",
       "environmentVariables": {
-        "Hosting:Environment": "Development"
+        "ASPNETCORE_ENVIRONMENT": "Development"
       }
     }
   }

samples/SessionSample/Startup.cs

@@ -27,11 +27,11 @@ public void ConfigureServices(IServiceCollection services)
             //    o.SchemaName = "dbo";
             //    o.TableName = "Sessions";
             //});
-
+#if NET451
             // Uncomment the following line to use the Redis implementation of IDistributedCache.
             // This will override any previously registered IDistributedCache service.
             //services.AddSingleton<IDistributedCache, RedisCache>();
-
+#endif
             // Adds a default in-memory implementation of IDistributedCache
             services.AddMemoryCache();
             services.AddDistributedMemoryCache();

samples/SessionSample/project.json

@@ -8,7 +8,6 @@
     "Microsoft.AspNetCore.Server.Kestrel": "1.0.0-*",
     "Microsoft.AspNetCore.Session": "1.0.0-*",
     "Microsoft.Extensions.Caching.Memory": "1.0.0-*",
-    "Microsoft.Extensions.Caching.Redis": "1.0.0-*",
     "Microsoft.Extensions.Caching.SqlServer": "1.0.0-*",
     "Microsoft.Extensions.Logging.Console": "1.0.0-*"
   },
@@ -18,7 +17,22 @@
     ]
   },
   "frameworks": {
-    "net451": {}
+    "net451": {
+      "dependencies": {
+        "Microsoft.Extensions.Caching.Redis": "1.0.0-*"
+      }
+    },
+    "netcoreapp1.0": {
+      "imports": [
+        "dnxcore50"
+      ],
+      "dependencies": {
+        "Microsoft.NETCore.App": {
+          "version": "1.0.0-*",
+          "type": "platform"
+        }
+      }
+    }
   },
   "tools": {
     "Microsoft.AspNetCore.Server.IISIntegration.Tools": {

src/Microsoft.AspNetCore.Session/CookieProtection.cs

@@ -0,0 +1,71 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Text;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.Session
+{
+    internal static class CookieProtection
+    {
+        internal static string Protect(IDataProtector protector, string data)
+        {
+            if (protector == null)
+            {
+                throw new ArgumentNullException(nameof(protector));
+            }
+            if (string.IsNullOrEmpty(data))
+            {
+                return data;
+            }
+
+            var userData = Encoding.UTF8.GetBytes(data);
+
+            var protectedData = protector.Protect(userData);
+            return Convert.ToBase64String(protectedData).TrimEnd('=');
+        }
+
+        internal static string Unprotect(IDataProtector protector, string protectedText, ILogger logger)
+        {
+            try
+            {
+                if (string.IsNullOrEmpty(protectedText))
+                {
+                    return string.Empty;
+                }
+
+                var protectedData = Convert.FromBase64String(Pad(protectedText));
+                if (protectedData == null)
+                {
+                    return string.Empty;
+                }
+
+                var userData = protector.Unprotect(protectedData);
+                if (userData == null)
+                {
+                    return string.Empty;
+                }
+
+                return Encoding.UTF8.GetString(userData);
+            }
+            catch (Exception ex)
+            {
+                // Log the exception, but do not leak other information
+                logger.ErrorUnprotectingSessionCookie(ex);
+                return string.Empty;
+            }
+        }
+
+        private static string Pad(string text)
+        {
+            var padding = 3 - ((text.Length + 3) % 4);
+            if (padding == 0)
+            {
+                return text;
+            }
+            return text + new string('=', padding);
+        }
+    }
+}

src/Microsoft.AspNetCore.Session/LoggingExtensions.cs

@@ -12,6 +12,7 @@ internal static class LoggingExtensions
         private static Action<ILogger, string, string, Exception> _sessionStarted;
         private static Action<ILogger, string, string, int, Exception> _sessionLoaded;
         private static Action<ILogger, string, string, int, Exception> _sessionStored;
+        private static Action<ILogger, Exception> _errorUnprotectingCookie;
 
         static LoggingExtensions()
         {
@@ -35,6 +36,10 @@ static LoggingExtensions()
                 eventId: 5,
                 logLevel: LogLevel.Debug,
                 formatString: "Session stored; Key:{sessionKey}, Id:{sessionId}, Count:{count}");
+            _errorUnprotectingCookie = LoggerMessage.Define(
+                eventId: 6,
+                logLevel: LogLevel.Warning,
+                formatString: "Error unprotecting the session cookie.");
         }
 
         public static void ErrorClosingTheSession(this ILogger logger, Exception exception)
@@ -61,5 +66,10 @@ public static void SessionStored(this ILogger logger, string sessionKey, string
         {
             _sessionStored(logger, sessionKey, sessionId, count, null);
         }
+
+        public static void ErrorUnprotectingSessionCookie(this ILogger logger, Exception exception)
+        {
+            _errorUnprotectingCookie(logger, exception);
+        }
     }
 }

src/Microsoft.AspNetCore.Session/SessionMiddleware.cs

@@ -5,6 +5,7 @@
 using System.Security.Cryptography;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.Extensions.Logging;
@@ -24,17 +25,20 @@ public class SessionMiddleware
         private readonly SessionOptions _options;
         private readonly ILogger _logger;
         private readonly ISessionStore _sessionStore;
+        private readonly IDataProtector _dataProtector;
 
         /// <summary>
         /// Creates a new <see cref="SessionMiddleware"/>.
         /// </summary>
         /// <param name="next">The <see cref="RequestDelegate"/> representing the next middleware in the pipeline.</param>
         /// <param name="loggerFactory">The <see cref="ILoggerFactory"/> representing the factory that used to create logger instances.</param>
+        /// <param name="dataProtectionProvider">The <see cref="IDataProtectionProvider"/> used to protect and verify the cookie.</param>
         /// <param name="sessionStore">The <see cref="ISessionStore"/> representing the session store.</param>
         /// <param name="options">The session configuration options.</param>
         public SessionMiddleware(
             RequestDelegate next,
             ILoggerFactory loggerFactory,
+            IDataProtectionProvider dataProtectionProvider,
             ISessionStore sessionStore,
             IOptions<SessionOptions> options)
         {
@@ -48,6 +52,11 @@ public SessionMiddleware(
                 throw new ArgumentNullException(nameof(loggerFactory));
             }
 
+            if (dataProtectionProvider == null)
+            {
+                throw new ArgumentNullException(nameof(dataProtectionProvider));
+            }
+
             if (sessionStore == null)
             {
                 throw new ArgumentNullException(nameof(sessionStore));
@@ -60,6 +69,7 @@ public SessionMiddleware(
 
             _next = next;
             _logger = loggerFactory.CreateLogger<SessionMiddleware>();
+            _dataProtector = dataProtectionProvider.CreateProtector(nameof(SessionMiddleware));
             _options = options.Value;
             _sessionStore = sessionStore;
         }
@@ -73,14 +83,16 @@ public async Task Invoke(HttpContext context)
         {
             var isNewSessionKey = false;
             Func<bool> tryEstablishSession = ReturnTrue;
-            string sessionKey = context.Request.Cookies[_options.CookieName];
+            var cookieValue = context.Request.Cookies[_options.CookieName];
+            var sessionKey = CookieProtection.Unprotect(_dataProtector, cookieValue, _logger);
             if (string.IsNullOrWhiteSpace(sessionKey) || sessionKey.Length != SessionKeyLength)
             {
                 // No valid cookie, new session.
                 var guidBytes = new byte[16];
                 CryptoRandom.GetBytes(guidBytes);
                 sessionKey = new Guid(guidBytes).ToString();
-                var establisher = new SessionEstablisher(context, sessionKey, _options);
+                cookieValue = CookieProtection.Protect(_dataProtector, sessionKey);
+                var establisher = new SessionEstablisher(context, cookieValue, _options);
                 tryEstablishSession = establisher.TryEstablishSession;
                 isNewSessionKey = true;
             }
@@ -114,14 +126,14 @@ public async Task Invoke(HttpContext context)
         private class SessionEstablisher
         {
             private readonly HttpContext _context;
-            private readonly string _sessionKey;
+            private readonly string _cookieValue;
             private readonly SessionOptions _options;
             private bool _shouldEstablishSession;
 
-            public SessionEstablisher(HttpContext context, string sessionKey, SessionOptions options)
+            public SessionEstablisher(HttpContext context, string cookieValue, SessionOptions options)
             {
                 _context = context;
-                _sessionKey = sessionKey;
+                _cookieValue = cookieValue;
                 _options = options;
                 context.Response.OnStarting(OnStartingCallback, state: this);
             }
@@ -145,7 +157,7 @@ private void SetCookie()
                     Path = _options.CookiePath ?? SessionDefaults.CookiePath,
                 };
 
-                _context.Response.Cookies.Append(_options.CookieName, _sessionKey, cookieOptions);
+                _context.Response.Cookies.Append(_options.CookieName, _cookieValue, cookieOptions);
 
                 _context.Response.Headers["Cache-Control"] = "no-cache";
                 _context.Response.Headers["Pragma"] = "no-cache";

src/Microsoft.AspNetCore.Session/SessionServiceCollectionExtensions.cs

@@ -25,6 +25,7 @@ public static IServiceCollection AddSession(this IServiceCollection services)
             }
 
             services.AddTransient<ISessionStore, DistributedSessionStore>();
+            services.AddDataProtection();
             return services;
         }
 

src/Microsoft.AspNetCore.Session/project.json

@@ -13,6 +13,7 @@
     ]
   },
   "dependencies": {
+    "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
     "Microsoft.AspNetCore.Http.Abstractions": "1.0.0-*",
     "Microsoft.Extensions.Caching.Abstractions": "1.0.0-*",
     "Microsoft.Extensions.Logging.Abstractions": "1.0.0-*",

test/Microsoft.AspNetCore.Session.Tests/Microsoft.AspNetCore.Session.Tests.xproj

@@ -13,5 +13,8 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>