241 lines
10 KiB
C#
241 lines
10 KiB
C#
|
//------------------------------------------------------------------------------
|
||
|
// <copyright file="FormsAuthenticationTicket.cs" company="Microsoft">
|
||
|
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||
|
// </copyright>
|
||
|
//------------------------------------------------------------------------------
|
||
|
|
||
|
/*
|
||
|
* FormsAuthenticationTicket class
|
||
|
*
|
||
|
* Copyright (c) 1999 Microsoft Corporation
|
||
|
*/
|
||
|
|
||
|
namespace System.Web.Security {
|
||
|
using System.Security.Principal;
|
||
|
using System.Security.Permissions;
|
||
|
using System.Web.Configuration;
|
||
|
using System.Runtime.Serialization;
|
||
|
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// <para>This class encapsulates the information represented in
|
||
|
/// an authentication cookie as used by FormsAuthenticationModule.</para>
|
||
|
/// </devdoc>
|
||
|
[Serializable]
|
||
|
public sealed class FormsAuthenticationTicket {
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// <para>A one byte version number for future
|
||
|
/// use.</para>
|
||
|
/// </devdoc>
|
||
|
public int Version { get { return _Version;}}
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// The user name associated with the
|
||
|
/// authentication cookie. Note that, at most, 32 bytes are stored in the
|
||
|
/// cookie.
|
||
|
/// </devdoc>
|
||
|
public String Name { get { return _Name;}}
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// The date/time at which the cookie
|
||
|
/// expires.
|
||
|
/// </devdoc>
|
||
|
public DateTime Expiration { get { return _Expiration;}}
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// The time at which the cookie was originally
|
||
|
/// issued. This can be used for custom expiration schemes.
|
||
|
/// </devdoc>
|
||
|
public DateTime IssueDate { get { return _IssueDate;}}
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// True if a durable cookie was issued.
|
||
|
/// Otherwise, the authentication cookie is scoped to the browser lifetime.
|
||
|
/// </devdoc>
|
||
|
public bool IsPersistent { get { return _IsPersistent;}}
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// <para>[To be supplied.]</para>
|
||
|
/// </devdoc>
|
||
|
public bool Expired {
|
||
|
get {
|
||
|
/*
|
||
|
* Two DateTime instances can only be compared if they are of the same DateTimeKind.
|
||
|
* Therefore we normalize everything to UTC to do the comparison. See comments on
|
||
|
* the ExpirationUtc property for more information
|
||
|
*/
|
||
|
return (ExpirationUtc < DateTime.UtcNow);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// <para>[To be supplied.]</para>
|
||
|
/// </devdoc>
|
||
|
public String UserData { get { return _UserData;}}
|
||
|
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// <para>[To be supplied.]</para>
|
||
|
/// </devdoc>
|
||
|
public String CookiePath { get { return _CookiePath;}}
|
||
|
|
||
|
/*
|
||
|
* We always prefer UTC expiration dates to work around issues like a daylight
|
||
|
* saving time changes between the time the ticket was issued and the time the
|
||
|
* ticket was checked. If we have a firm UTC expiration date, just use it
|
||
|
* directly.
|
||
|
*
|
||
|
* If we don't have a firm UTC expiration date, try converting the developer-
|
||
|
* provided date to UTC before doing the comparison. There are three types of
|
||
|
* DateTime, and the .NET Framework converts as so:
|
||
|
*
|
||
|
* - The DateTime is already UTC, in which case it is returned unmodified.
|
||
|
* - The DateTime is local, in which case the .NET Framework converts it to
|
||
|
* UTC. There is also a hidden bit in the DateTime struct which essentially
|
||
|
* states whether daylight saving time was active when this DateTime was
|
||
|
* generated, i.e. whether this was 2:02 AM PDT or 2:02 AM PST. The .NET
|
||
|
* framework handles round-tripping Local <-> UTC correctly, but comparisons
|
||
|
* can still fail as described in detail below.
|
||
|
* - The DateTime is of an undefined type, in which case it is implicitly
|
||
|
* treated as local in a manner consistent with .NET 1.1.
|
||
|
*
|
||
|
* However, this alone is insufficient to work around DST issues when comparing
|
||
|
* local dates. For example, assume that a ticket is issued on Nov 6, 2011 at
|
||
|
* 1:30 AM PDT (UTC -0700) with a timeout period of 20 minutes. The expiration
|
||
|
* date is thus calculated to be Nov 6, 2011 at 1:50 AM PDT (UTC -0700). Now
|
||
|
* say a request comes in 25 minutes after expiration; the time is currently
|
||
|
* 1:15 AM PST (UTC -0800). [A DST boundary has been crossed.] Since this
|
||
|
* request came in *after* the ticket expiration date, the ticket should be
|
||
|
* rejected. And if we were doing all of our comparisons in UTC, this would
|
||
|
* indeed be the case. However, since the DateTime struct doesn't have UTC
|
||
|
* offset information embedded in it, comparisons of their dates are taken at
|
||
|
* face value as simple wall time comparisons. Thus the current time is
|
||
|
* interpreted just as "1:15 AM" and the expiration time is intepreted just as
|
||
|
* "1:50 AM", and from this simple comparison the token is considered unexpired
|
||
|
* and is accepted by the system.
|
||
|
*
|
||
|
* To see this incorrect behavior in action, run the following on a machine
|
||
|
* in the Pacific Time Zone. Contrast the behavior of the DateTimeOffset type
|
||
|
* (which is designed to handle UTC offsets correctly) with the DateTime type, in
|
||
|
* which the FromFileTime method implicitly does a local time conversion.
|
||
|
*
|
||
|
* long ft1 = 129650430000000000; // Nov 6, 2011 1:50 AM PDT (UTC -0700)
|
||
|
* long ft2 = 129650445000000000; // Nov 6, 2011 1:15 AM PST (UTC -0800)
|
||
|
* DateTimeOffset.FromFileTime(ft1) < DateTimeOffset.FromFileTime(ft2) = true
|
||
|
* DateTime.FromFileTime(ft1) < DateTime.FromFileTime(ft2) = false (INCORRECT!)
|
||
|
*
|
||
|
* To be absolutely safe, we must perform comparisons *only* on DateTime instances
|
||
|
* we know to have correct UTC information, or we must use an offset-aware type
|
||
|
* like DateTimeOffset which just does the right thing automatically.
|
||
|
*
|
||
|
* More info: http://msdn.microsoft.com/en-us/library/bb546099.aspx
|
||
|
*/
|
||
|
internal DateTime ExpirationUtc {
|
||
|
get { return (_ExpirationUtcHasValue) ? _ExpirationUtc : Expiration.ToUniversalTime(); }
|
||
|
}
|
||
|
|
||
|
internal DateTime IssueDateUtc {
|
||
|
get { return (_IssueDateUtcHasValue) ? _IssueDateUtc : IssueDate.ToUniversalTime(); }
|
||
|
}
|
||
|
|
||
|
private int _Version;
|
||
|
private String _Name;
|
||
|
private DateTime _Expiration;
|
||
|
private DateTime _IssueDate;
|
||
|
private bool _IsPersistent;
|
||
|
private String _UserData;
|
||
|
private String _CookiePath;
|
||
|
|
||
|
#pragma warning disable 0169 // unused field
|
||
|
// These fields were added in .NET 4 but weren't actually used anywhere.
|
||
|
// We can't remove them since they're part of the serialization contract.
|
||
|
[OptionalField(VersionAdded = 2)]
|
||
|
private int _InternalVersion;
|
||
|
[OptionalField(VersionAdded = 2)]
|
||
|
private Byte[] _InternalData;
|
||
|
#pragma warning restore 0169
|
||
|
|
||
|
// Issue and expiration times as UTC.
|
||
|
// We can't use nullable types since they didn't exist in v1.1, and this assists backporting fixes downlevel.
|
||
|
[NonSerialized]
|
||
|
private bool _ExpirationUtcHasValue;
|
||
|
[NonSerialized]
|
||
|
private DateTime _ExpirationUtc;
|
||
|
[NonSerialized]
|
||
|
private bool _IssueDateUtcHasValue;
|
||
|
[NonSerialized]
|
||
|
private DateTime _IssueDateUtc;
|
||
|
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// <para>This constructor creates a
|
||
|
/// FormsAuthenticationTicket instance with explicit values.</para>
|
||
|
/// </devdoc>
|
||
|
public FormsAuthenticationTicket(int version,
|
||
|
String name,
|
||
|
DateTime issueDate,
|
||
|
DateTime expiration,
|
||
|
bool isPersistent,
|
||
|
String userData) {
|
||
|
_Version = version;
|
||
|
_Name = name;
|
||
|
_Expiration = expiration;
|
||
|
_IssueDate = issueDate;
|
||
|
_IsPersistent = isPersistent;
|
||
|
_UserData = userData;
|
||
|
_CookiePath = FormsAuthentication.FormsCookiePath;
|
||
|
}
|
||
|
|
||
|
|
||
|
public FormsAuthenticationTicket(int version,
|
||
|
String name,
|
||
|
DateTime issueDate,
|
||
|
DateTime expiration,
|
||
|
bool isPersistent,
|
||
|
String userData,
|
||
|
String cookiePath) {
|
||
|
_Version = version;
|
||
|
_Name = name;
|
||
|
_Expiration = expiration;
|
||
|
_IssueDate = issueDate;
|
||
|
_IsPersistent = isPersistent;
|
||
|
_UserData = userData;
|
||
|
_CookiePath = cookiePath;
|
||
|
}
|
||
|
|
||
|
|
||
|
|
||
|
/// <devdoc>
|
||
|
/// <para> This constructor creates
|
||
|
/// a FormsAuthenticationTicket instance with the specified name and cookie durability,
|
||
|
/// and default values for the other settings.</para>
|
||
|
/// </devdoc>
|
||
|
public FormsAuthenticationTicket(String name, bool isPersistent, Int32 timeout) {
|
||
|
_Version = 2;
|
||
|
_Name = name;
|
||
|
_IssueDateUtcHasValue = true;
|
||
|
_IssueDateUtc = DateTime.UtcNow;
|
||
|
_IssueDate = DateTime.Now;
|
||
|
_IsPersistent = isPersistent;
|
||
|
_UserData = "";
|
||
|
_ExpirationUtcHasValue = true;
|
||
|
_ExpirationUtc = _IssueDateUtc.AddMinutes(timeout);
|
||
|
_Expiration = _IssueDate.AddMinutes(timeout);
|
||
|
_CookiePath = FormsAuthentication.FormsCookiePath;
|
||
|
}
|
||
|
|
||
|
internal static FormsAuthenticationTicket FromUtc(int version, String name, DateTime issueDateUtc, DateTime expirationUtc, bool isPersistent, String userData, String cookiePath) {
|
||
|
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(version, name, issueDateUtc.ToLocalTime(), expirationUtc.ToLocalTime(), isPersistent, userData, cookiePath);
|
||
|
|
||
|
ticket._IssueDateUtcHasValue = true;
|
||
|
ticket._IssueDateUtc = issueDateUtc;
|
||
|
ticket._ExpirationUtcHasValue = true;
|
||
|
ticket._ExpirationUtc = expirationUtc;
|
||
|
|
||
|
return ticket;
|
||
|
}
|
||
|
|
||
|
}
|
||
|
}
|