Skip to content

Commit

Permalink
Merge pull request #7315 from umbraco/v8/bug/3935-useractions-xsrf-va…
Browse files Browse the repository at this point in the history
…lidation

Adding extra validation for anti forgery tokens
  • Loading branch information
Claus committed Jan 3, 2020
1 parent b78d8fa commit b613f8b
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ public override void OnActionExecuting(ActionExecutingContext filterContext)
var userIdentity = filterContext.HttpContext.User.Identity as ClaimsIdentity;
if (userIdentity != null)
{
//if there is not CookiePath claim, then exist
//if there is not CookiePath claim, then exit
if (userIdentity.HasClaim(x => x.Type == ClaimTypes.CookiePath) == false)
{
base.OnActionExecuting(filterContext);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ public override void ResponseSignIn(CookieResponseSignInContext context)
: Guid.NewGuid();

backOfficeIdentity.SessionId = session.ToString();

//since it is a cookie-based authentication add that claim
backOfficeIdentity.AddClaim(new Claim(ClaimTypes.CookiePath, "/", ClaimValueTypes.String, UmbracoBackOfficeIdentity.Issuer, UmbracoBackOfficeIdentity.Issuer, backOfficeIdentity));
}

base.ResponseSignIn(context);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ public override void OnActionExecuting(System.Web.Http.Controllers.HttpActionCon
var userIdentity = ((ApiController) actionContext.ControllerContext.Controller).User.Identity as ClaimsIdentity;
if (userIdentity != null)
{
//if there is not CookiePath claim, then exist
//if there is not CookiePath claim, then exit
if (userIdentity.HasClaim(x => x.Type == ClaimTypes.CookiePath) == false)
{
base.OnActionExecuting(actionContext);
Expand Down

0 comments on commit b613f8b

Please sign in to comment.