zydronium/websitepanel
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix where the encrypted session id gets corrupted resulting in a loop and a 500

Browse source 
error

Explicitly cleared the session and authentication cookies
This commit is contained in:
robvde 2012-07-25 19:33:43 +04:00
parent ba1e53b8d2
commit 2a790f105d
2 changed files with 23 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

17
WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs
View file

@ -217,6 +217,23 @@ namespace WebsitePanel.Portal
public static void UserSignOut() public static void UserSignOut()
{ {
FormsAuthentication.SignOut(); FormsAuthentication.SignOut();
if (HttpContext.Current.Session != null)
{
HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
}
// Clear authentication cookie
HttpCookie rFormsCookie = new HttpCookie(FormsAuthentication.FormsCookieName, "");
rFormsCookie.Expires = DateTime.Now.AddYears(-1);
HttpContext.Current.Response.Cookies.Add(rFormsCookie);
// Clear session cookie
HttpCookie rSessionCookie = new HttpCookie("ASP.NET_SessionId", "");
rSessionCookie.Expires = DateTime.Now.AddYears(-1);
HttpContext.Current.Response.Cookies.Add(rSessionCookie);
HttpContext.Current.Response.Redirect(LoginRedirectUrl); HttpContext.Current.Response.Redirect(LoginRedirectUrl);
} }

13
WebsitePanel/Sources/WebsitePanel.WebPortal/Code/SecureSessionModule.cs
View file

@ -64,15 +64,17 @@ namespace WebsitePanel.WebPortal
// Look for an incoming cookie named "ASP.NET_SessionID" // Look for an incoming cookie named "ASP.NET_SessionID"
HttpRequest request = ((HttpApplication)sender).Request; HttpRequest request = ((HttpApplication)sender).Request;
HttpCookie cookie = GetCookie(request, "ASP.NET_SessionId"); HttpCookie cookie = GetCookie(request, "ASP.NET_SessionId");
HttpCookie authCookie = request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie != null) if (cookie != null)
{ {
// Throw an exception if the cookie lacks a MAC // Throw an exception if the cookie lacks a MAC
if (cookie.Value.Length <= 24) if (cookie.Value.Length <= 24)
{ {
FormsAuthentication.SignOut(); if ((authCookie != null))
HttpContext.Current.Response.Redirect(DefaultPage.GetPageUrl(PortalConfiguration.SiteSettings["DefaultPage"])); {
cookie.Value = GetSessionIDMac(cookie.Value, request.UserHostAddress, request.UserAgent, _ValidationKey); WebsitePanel.Portal.PortalUtils.UserSignOut();
}
return; return;
} }
@ -87,10 +89,7 @@ namespace WebsitePanel.WebPortal
// Throw an exception if the MACs don't match // Throw an exception if the MACs don't match
if (String.CompareOrdinal(mac1, mac2) != 0) if (String.CompareOrdinal(mac1, mac2) != 0)
{ {
FormsAuthentication.SignOut(); WebsitePanel.Portal.PortalUtils.UserSignOut();
HttpContext.Current.Response.Redirect(DefaultPage.GetPageUrl(PortalConfiguration.SiteSettings["DefaultPage"]));
cookie.Value = GetSessionIDMac(cookie.Value, request.UserHostAddress, request.UserAgent, _ValidationKey);
} }
// Strip the MAC from the cookie before ASP.NET sees it // Strip the MAC from the cookie before ASP.NET sees it