Session validation key support added into installer

WebsitePanel.Installer/Sources/WebsitePanel.Setup/Common/InstallAction.cs

@@ -88,6 +88,8 @@ namespace WebsitePanel.Setup
 		SwitchServer2AspNet40,
 		SwitchEntServer2AspNet40,
 		SwitchWebPortal2AspNet40,
+        ConfigureSecureSessionModuleInWebConfig,
+        UpdatePortalSessionValidationKey
 	}
 	
 	public class InstallAction

WebsitePanel.Installer/Sources/WebsitePanel.Setup/Common/StringUtils.cs

@@ -0,0 +1,19 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace WebsitePanel.Setup.Common
+{
+    public class StringUtils
+    {
+        public static string GenerateRandomString(int length)
+        {
+            RNGCryptoServiceProvider crypto = new RNGCryptoServiceProvider();
+            byte[] data = new byte[length];
+            crypto.GetNonZeroBytes(data);
+            return BitConverter.ToString(data).Replace("-", "").ToLowerInvariant();
+        }
+    }
+}

WebsitePanel.Installer/Sources/WebsitePanel.Setup/Portal.cs

@@ -217,6 +217,10 @@ namespace WebsitePanel.Setup
 			action.Description = "Updating site settings...";
 			page3.Actions.Add(action);
 
+            action = new InstallAction(ActionTypes.UpdatePortalSessionValidationKey);
+            action.Description = "Generate session validation key...";
+            page3.Actions.Add(action);
+
 			action = new InstallAction(ActionTypes.UpdateConfig);
 			action.Description = "Updating system configuration...";
 			page3.Actions.Add(action);

WebsitePanel.Installer/Sources/WebsitePanel.Setup/Portal20.cs

@@ -31,8 +31,9 @@ namespace WebsitePanel.Setup
         {
             return UpdateBase(obj,
                 minimalInstallerVersion: "2.0.0",
-                versionToUpgrade: "1.2.1",
+                versionsToUpgrade: "1.2.1",
-                updateSql: false);
+                updateSql: false,
+                versionSpecificAction: new InstallAction(ActionTypes.ConfigureSecureSessionModuleInWebConfig));
         }
     }
 }

WebsitePanel.Installer/Sources/WebsitePanel.Setup/WebsitePanel.Setup.csproj

@@ -133,6 +133,7 @@
     <Compile Include="Common\SqlProcess.cs" />
     <Compile Include="Common\SqlUtils.cs" />
     <Compile Include="Common\ServerItem.cs" />
+    <Compile Include="Common\StringUtils.cs" />
     <Compile Include="Common\Utils.cs" />
     <Compile Include="Common\WebException.cs" />
     <Compile Include="Common\WebUtils.cs" />

WebsitePanel.Installer/Sources/WebsitePanel.Setup/Wizard/ExpressInstallPage.cs

@@ -258,6 +258,12 @@ namespace WebsitePanel.Setup
 						case ActionTypes.AddCustomErrorsPage:
 							AddCustomErrorsPage();
 							break;
+                        case ActionTypes.ConfigureSecureSessionModuleInWebConfig:
+                            ConfigureSecureSessionModuleInWebConfig();
+                            break;
+                        case ActionTypes.UpdatePortalSessionValidationKey:
+                            UpdatePortalSessionValidationKey();
+                            break;
 					}
 				}
 				this.progressBar.Value = 100;
@@ -281,6 +287,87 @@ namespace WebsitePanel.Setup
 				Wizard.GoNext();
 		}
 
+        private void ConfigureSecureSessionModuleInWebConfig()
+        {
+            try
+            {
+                string webConfigPath = Path.Combine(Wizard.SetupVariables.InstallationFolder, "web.config");
+                Log.WriteStart("Web.config file is being updated");
+                // Ensure the web.config exists
+                if (!File.Exists(webConfigPath))
+                {
+                    Log.WriteInfo(string.Format("File {0} not found", webConfigPath));
+                    return;
+                }
+                // Load web.config
+                XmlDocument doc = new XmlDocument();
+                doc.Load(webConfigPath);
+
+                // add node:
+                //<system.webServer>
+                //  <modules>
+                //    <add name="SecureSession" type="WebsitePanel.WebPortal.SecureSessionModule" />
+                //  </modules>
+                //</system.webServer>
+                //
+                //  ... or for IIS 6:
+                //
+                //<system.web>
+                //  <httpModules>
+                //    <add name="SecureSession" type="WebsitePanel.WebPortal.SecureSessionModule" />
+                //  </httpModules>
+                //</system.web>
+                bool iis6 = false;
+                XmlElement webServer = doc.SelectSingleNode("configuration/system.webServer") as XmlElement;
+                if (webServer == null)
+                {
+                    // this is IIS 6
+                    webServer = doc.SelectSingleNode("configuration/system.web") as XmlElement;
+                    iis6 = true;
+                }
+
+                if (webServer != null)
+                {
+                    var modules = doc.CreateElement(iis6 ? "httpModules" : "modules");
+                    webServer.AppendChild(modules);
+                    var sessionModule = doc.CreateElement("add");
+                    sessionModule.SetAttribute("name", "SecureSession");
+                    sessionModule.SetAttribute("type", "WebsitePanel.WebPortal.SecureSessionModule");
+                    modules.AppendChild(sessionModule);
+                }
+
+                // update /system.web/httpRuntime element
+                var httpRuntime = doc.SelectSingleNode("configuration/system.web/httpRuntime") as XmlElement;
+                if (httpRuntime != null)
+                    httpRuntime.SetAttribute("enableVersionHeader", "false");
+
+                // add:
+                //<appSettings>
+                //    <add key="SessionValidationKey" value="XXXXXX" />
+                //</appSettings>
+                var appSettings = doc.SelectSingleNode("configuration/appSettings");
+                if (appSettings != null)
+                {
+                    var sessionKey = doc.CreateElement("add");
+                    sessionKey.SetAttribute("name", "SessionValidationKey");
+                    sessionKey.SetAttribute("value", StringUtils.GenerateRandomString(16));
+                    appSettings.AppendChild(sessionKey);
+                }
+                
+                // save changes have been made
+                doc.Save(webConfigPath);
+                //
+                Log.WriteEnd("Web.config has been updated");
+            }
+            catch (Exception ex)
+            {
+                if (Utils.IsThreadAbortException(ex))
+                    return;
+                Log.WriteError("Could not update web.config file", ex);
+                throw;
+            }
+        }
+
 		private void SwitchWebPortal2AspNet40(InstallAction action, Setup.SetupVariables setupVariables)
 		{
 			var sam = new WebPortalActionManager(setupVariables);
@@ -2570,6 +2657,44 @@ namespace WebsitePanel.Setup
 			}
 		}
 
+        private void UpdatePortalSessionValidationKey()
+        {
+            try
+            {
+                string installFolder = Wizard.SetupVariables.InstallationFolder;
+                string path = Path.Combine(installFolder, "web.config");
+
+                if (!File.Exists(path))
+                {
+                    Log.WriteInfo(string.Format("File {0} not found", path));
+                    return;
+                }
+
+                Log.WriteStart("Updating configuration file (session validation key)");
+                XmlDocument doc = new XmlDocument();
+                doc.Load(path);
+
+                XmlElement sessionKey = doc.SelectSingleNode("configuration/appSettings/add[@key='SessionValidationKey']") as XmlElement;
+                if (sessionKey == null)
+                {
+                    Log.WriteInfo("SessionValidationKey setting not found");
+                    return;
+                }
+
+                sessionKey.SetAttribute("value", StringUtils.GenerateRandomString(16));
+                doc.Save(path);
+                Log.WriteEnd("Updated configuration file");
+                InstallLog.AppendLine("- Updated session validation key in the configuration file");
+            }
+            catch (Exception ex)
+            {
+                if (Utils.IsThreadAbortException(ex))
+                    return;
+                Log.WriteError("Configuration file update error", ex);
+                throw;
+            }
+        }
+
 		private void SetServiceSettings()
 		{
 			try

WebsitePanel/Sources/WebsitePanel.WebPortal/Web6.config

@@ -4,6 +4,7 @@
 		<add key="WebPortal.ThemeProvider" value="WebsitePanel.Portal.WebPortalThemeProvider, WebsitePanel.Portal.Modules"/>
 		<add key="WebPortal.PageTitleProvider" value="WebsitePanel.Portal.WebPortalPageTitleProvider, WebsitePanel.Portal.Modules"/>
 		<add key="ChartImageHandler" value="storage=file;timeout=20;" />
+		<add key="SessionValidationKey" value="DAD46D476F85E0198BCA134D7AA5CC1D7" />
 	</appSettings>
 	<system.web.extensions>
 		<scripting>
@@ -56,6 +57,9 @@
 			<add verb="*" path="Reserved.ReportViewerWebControl.axd" type="Microsoft.Reporting.WebForms.HttpHandler, Microsoft.ReportViewer.WebForms, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" validate="false"/>
 			<add verb="GET,HEAD,POST" path="ChartImg.axd" type="System.Web.UI.DataVisualization.Charting.ChartHttpHandler, System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false" />
 		</httpHandlers>
+        <httpModules>
+			<add name="SecureSession" type="WebsitePanel.WebPortal.SecureSessionModule" />
+        </httpModules>		
 		<!-- Authentication -->
 		<authentication mode="Forms">
 			<forms name=".WEBSITEPANELPORTALAUTHASPX" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseDeviceProfile" domain="" enableCrossAppRedirects="false">