Creating a unique user session ID in ASP.NET C# - c#

I'm not very experienced when it comes to development and I'm trying to secure an application so please bear with me. At the moment, the user is being authenticated and a new session is created using the following code:
public static void NewSession(Account account)
{
var redirectUrl = "Login.aspx";
if (account == null)
{
var sessionCookie = HttpContext.Current.Request.Cookies["test-app-session"];
if (sessionCookie != null)
ExpireCookie(sessionCookie);
}
else
{
var sessionCookie = new HttpCookie("test-app-session");
sessionCookie.Values["account-id"] = account.Id.ToString();
sessionCookie.Expires = DateTime.Now.AddHours(12);
HttpContext.Current.Response.Cookies.Add(sessionCookie);
var redirectCookie = HttpContext.Current.Request.Cookies["test-app-redirect"];
if (redirectCookie != null)
{
redirectUrl = redirectCookie.Values["url"];
ExpireCookie(redirectCookie);
}
if (string.IsNullOrWhiteSpace(redirectUrl))
redirectUrl = "Default.aspx";
}
HttpContext.Current.Response.Redirect(redirectUrl);
}
When the App validates the session, it then uses the below code:
public static Account FromSession()
{
var sessionCookie = HttpContext.Current.Request.Cookies["test-app-session"];
if (sessionCookie != null && long.TryParse(sessionCookie.Values["account-id"], out long accountId))
{
using (var db = Database.Connect())
{
using (var cmd = db.Command("SELECT * FROM Account WHERE id=#id").Parameter("#id", accountId, DbType.Int64))
using (var reader = cmd.ExecuteReader())
if (reader.Read())
return new Account(reader);
}
}
if (!Path.GetFileName(HttpContext.Current.Request.Path).Equals("Login.aspx", StringComparison.OrdinalIgnoreCase))
{
var redirectCookie = new HttpCookie("test-app-redirect");
redirectCookie.Values["url"] = HttpContext.Current.Request.Url.ToString();
redirectCookie.Expires = DateTime.Now.AddHours(1);
HttpContext.Current.Response.Cookies.Add(redirectCookie);
HttpContext.Current.Response.Redirect("Login.aspx");
}
return null;
}
The problem is that the account-id value can be easily guessed, so I want to use a unique value for this. I don't really know how I'd implement this, as I'm not sure how the value would then be tied to the users session if there isn't an identifier I can check against. Obviously I'm missing something fundamental in how session management is supposed to work, but I can't figure out what it is. If I create a GUID to store in the cookie, the browser saves it and knows what it is, but how does the server know what this ID is and link it to the user?

Related

Microsoft Identity Platform - User Token Cache args.Account is always null

I have an MVC web application wanting to send emails from one email address using Office365. I am calling the API so that it shows up the microsoftonline login page for signing in. On successful sign in I am receiving the code back from API and generating Microsoft.Identity.Client.AuthenticationResult with the help of code and saving tokenresponse.UniqueId and tokenresponse.Account.HomeAccountId.Identifier in database.
I got to following page and signed in successfully and my database has the response saved.
After this I am trying to send emails using following code:
IConfidentialClientApplication mailer;
var mailerbuilder = ConfidentialClientApplicationBuilder
.Create(o365setpQry.ClientId))
.WithAuthority(AzureCloudInstance.AzurePublic, o365setpQry.Tenant)
.WithClientSecret(o365setpQry.ClientSecret);
mailerbuilder.WithRedirectUri(O365OAuthRedirectURL);
mailer = mailerbuilder.Build();
//user token cache.
mailer.UserTokenCache.SetAfterAccess((args) => {
Users user;
if **(args.Account == null)** user = null;
else user = _users.Table.Where(x => x.email_address == args.Account.Username).FirstOrDefault();
if (user == null)
{
var emsetp = _emsetp.Table.FirstOrDefault();
if (args.HasStateChanged || (emsetp.o365_GlobalTokenInfo == null))
{
emsetp.o365_GlobalTokenInfo = args.TokenCache.SerializeMsalV3();
}
}
else if (args.HasStateChanged || (user.o365_TokenInfo == null))
{
user.o365_TokenInfo = args.TokenCache.SerializeMsalV3();
_users.Update(user);
}
});
webEmailer.UserTokenCache.SetBeforeAccess((args) => {
Users user;
**if (args.Account == null)** user = null;
else user = _users.Table.Where(x => x.email_address == args.Account.Username).FirstOrDefault();
if (user == null)
{
args.TokenCache.DeserializeMsalV3(_emsetp.Table.FirstOrDefault().o365_GlobalTokenInfo);
}
else if (user.o365_TokenInfo != null)
{
args.TokenCache.DeserializeMsalV3(user.o365_TokenInfo);
}
});
var t = mailer.GetAccountAsync(emsetp.FirstOrDefault().o365_GlobalToken);
t.Wait();
Microsoft.Identity.Client.IAccount acct = t.Result;
The args.Account is returning null always.
var RequestClient = GraphClientFactory.Create(new DelegateAuthenticationProvider(new AuthenticateRequestAsyncDelegate((args) => {
var tokenRequest = mailer.AcquireTokenSilent(scopes, acct).ExecuteAsync();
tokenRequest.Wait();
args.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokenRequest.Result.AccessToken);
return System.Threading.Tasks.Task.FromResult(0);
})));
var graphClient = new GraphServiceClient(RequestClient);
var t = graphClient.Me.SendMail(message, true).Request();
var u = t.PostAsync();
I made sure my redirect urls are matching and I am not getting any errors from the API calls to see what is wrong and what makes args.Account value null and thus am not able to send emails. If I request the sign in page again it still shows the account I am signed in with.

Why am I getting a deadlock when my code is accessed multiple times?

In my c# code I have the following method that creates a document in the database, adds metadata regarding the document to the database and then updates some information regarding the date the repository was last updated. This method is often called numerous times in quick succession as multiple file uploads are common. However I am having problems with the code failing due to deadlock in sql server.
private IEnumerable<DocumentMetadata> CreateDoc(int? jobId, int?repositoryId, int? folderId, string documentTypeString, IEnumerable<DocumentModel> files)
{
if ((jobId == null && repositoryId == null) || (jobId != null && repositoryId != null))
{
throw new InvalidOperationException("Either job id or repository id must be specified");
}
using (var tran = new TransactionScope())
{
List<DocumentMetadata> newDocuments = new List<DocumentMetadata>();
var documentType = GetDocumentTypeByPrefix(documentTypeString);
if (folderId == null)
{
// Find the root folder
var job = getJob(jobId);
var rootFolder = getRootFolder(job);
// If we can't find a root folder, create one
if (rootFolder == null)
{
rootFolder = CreateRootDirectory(job);
}
folderId = rootFolder.FolderId;
}
User currentUser = _userService.GetCurrentUser();
foreach (var file in files)
{
var document = new Document() { Document1 = file.Data };
var documentMetadata = new DocumentMetadata
{
Document = document,
CreatedDate = file.CreatedDate,
FileName = file.Filename,
FileSize = file.Data.Length,
FolderId = folderId,
DocumentType = documentType,
JobId = jobId,
RepositoryId = repositoryId,
User = currentUser
};
_unitOfWork.DocumentMetadata.Add(documentMetadata);
newDocuments.Add(documentMetadata);
}
// set repository updated date
if (repositoryId != null)
{
DocumentRepository repo = GetDocumentRepository(repositoryId);
if (repo != null)
{
repo.UpdatedDate = new DateTimeOffset(DateTime.Now);
}
}
_unitOfWork.SaveChanges();
tran.Complete();
return newDocuments;
}
}
After some debugging it would appear that the updating of the repository id is causing the deadlock problem. If I remove this code block outside of the transaction all files are saved with no errors.
Why would this code block
if (repositoryId != null)
{
DocumentRepository repo = GetDocumentRepository(repositoryId);
if (repo != null)
{
repo.UpdatedDate = new DateTimeOffset(DateTime.Now);
}
}
cause the deadlock? No other access is being made to the DocumentRepository table apart from in this method - as the locks are obtained in the same order surely there should be no deadlock?
What is it about this code that is leading to deadlock?
Updated: The code for GetDocumentRepository is:
public DocumentRepository GetDocumentRepository(int repositoryId)
{
var result = DocumentRepositories.SingleOrDefault(x => x.RepositoryId == repositoryId); return result;
}
Have you checked the code without defining a transaction explicitly? Based on your code I would say that you are trying to read something that has been modified but not commited.
Another test you could do is to try to add a breakpoint in your code and try to get the DocumentRepository using READ UNCOMMITTED.

Post to a closed group where Im admin

I have the following code(facebook C# SDK) to post to facebook wall :
public long? UploadPost(string intLinkTitle, string inMessage, string inLinkCaption, string inLinkUrl, string inLinkDescription, string inLinkUrlPicture)
{
object obj;
Facebook.JsonObject jsonObj;
FacebookClient client;
string access_token = ConfigurationManager.AppSettings["FacebookPageAccessToken"].ToString();
client = new FacebookClient(access_token);
var args = new Dictionary<string, object>();
args["message"] = inMessage;
args["caption"] = inLinkCaption;
args["description"] = inLinkDescription;
args["name"] = intLinkTitle;
args["picture"] = inLinkUrlPicture;
args["link"] = inLinkUrl;
if ((obj = client.Post("/" + ConfigurationManager.AppSettings["FacebookPageId"].ToString() + "/feed", args)) != null)
{
if ((jsonObj = obj as Facebook.JsonObject) != null)
{
if (jsonObj.Count > 0)
return long.Parse(jsonObj[0].ToString().Split('_').Last().ToString());
}
}
return null;
}
}
This works great as long as I post to my public facebook website page but when changing the FacebookPageId to a group id instead I get (FacebookApiException - #200) Permissions error.
My user are admin of both the group and the page.
I have tried to post the message from the Graph API Explorer with the following line : 294632750660619/feed/?message=test but there is a syntax problem here, have also tried 294632750660619/feed?message=test but with no success.
How do I post to the closed facebook group?
Okay, I found the correct way. This is what I hade to do :
Go to the https://developers.facebook.com/ and create a new application
Settings > Add platform(Website and set the site URL(for example localhost..)
Set the app to go live(status & review > Yes), to do this a email adress needs to be set under settings > Contact Email
Go to the Graph API Explorer
Choose the new app from the dropdown
Click Get Access Token
Choose correct permissions(user_groups, user_status, user_photos, manage_pages, publish_actions, read_insights and read_stream) and click Get Access Token. Now we bot a short lived tooken
Generate a extended user token (valid for 60 days) by using this URL(change parameters(3)) : https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id=[app-id]&client_secret=[app-secret]&fb_exchange_token=[short-lived-token]
Use the generated none expiring access token in the application
Validate the Access token here : https://developers.facebook.com/tools/debug/access_token/
Use this code to upload post :
public long? UploadPost(string intLinkTitle, string inMessage, string inLinkCaption, string inLinkUrl, string inLinkDescription, string inLinkUrlPicture)
{
object obj;
Facebook.JsonObject jsonObj;
FacebookClient client;
string access_token = ConfigurationManager.AppSettings["FacebookPageAccessToken"].ToString();
client = new FacebookClient(access_token);
var args = new Dictionary<string, object>();
args["message"] = inMessage;
args["caption"] = inLinkCaption;
args["description"] = inLinkDescription;
args["name"] = intLinkTitle;
args["picture"] = inLinkUrlPicture;
args["link"] = inLinkUrl;
if ((obj = client.Post("/" + ConfigurationManager.AppSettings["FacebookPageId"].ToString() + "/feed", args)) != null)
{
if ((jsonObj = obj as Facebook.JsonObject) != null)
{
if (jsonObj.Count > 0)
return long.Parse(jsonObj[0].ToString().Split('_').Last().ToString());
}
}
return null;
}
And to get feed, use this :
private void GetFeed()
{
object obj;
Facebook.JsonObject jsonObj;
Facebook.JsonObject jsonPaging;
FacebookClient client;
int pageCount = 0;
string access_token;
string URL;
DateTime fetchFaceBookFeedFromDate;
DateTime? oldestPostFetched = null;
fetchFaceBookFeedFromDate = DateTime.Now.AddDays(-30);
access_token = ConfigurationManager.AppSettings["FacebookPageAccessToken"].ToString();
URL = "/" + ConfigurationManager.AppSettings["FacebookPageId"].ToString() + "/feed";
client = new FacebookClient(access_token);
while (URL.Length > 0 && pageCount < 1000)
{
if ((obj = client.Get(URL)) != null)
{
if ((jsonObj = obj as Facebook.JsonObject) != null && jsonObj.Count > 0)
{
if (jsonObj[0] is Facebook.JsonArray)
oldestPostFetched = SaveFacebookForumThread(jsonObj[0] as Facebook.JsonArray, fetchFaceBookFeedFromDate);
if (jsonObj.Keys.Contains("paging") && (jsonPaging = jsonObj["paging"] as Facebook.JsonObject) != null && jsonPaging.Keys.Contains("next"))
URL = jsonPaging["next"].ToString();
else
break;
}
}
pageCount++;
if (oldestPostFetched.HasValue && fetchFaceBookFeedFromDate > oldestPostFetched)
break;
}
}

Verify app invite server-side

When our mobile app user sends app-invite to fb user and he accepts it, the server should give a reward to the first one. So I need a way to verify whether the invite was sent.
var fb = new FacebookClient(APP_ID + "|" + SECRET_ID);
fb.AppId = APP_ID;
fb.AppSecret = SECRET_ID;
dynamic result = fb.Get(???);
I searched on GraphAPI docs and it seems that I need to retrieve users apprequests. How to do that from the server side and where to look at to perform such verification?
UPDATE
Ok, now I know that it's allowed to reward only for accepted invites. I can record who invites who in the db and give a reward only when a new invited user joins. But I still need a way to verify that these invites were actually sent.
UPDATE2
As the documentation states apprequests call from application returns all the requests sent from this application. So I think it would be enough for me to just check that there are any requests from this app:
dynamic result = fb.Get("/" + facebookId + "/apprequests");
IEnumerable data = result.data;
return data.Cast<object>().Count() != 0;
But I can't check it now. Can anyone confirm that if a user sends invite to app to another user this invite will be seen through apprequests from the application access token?
my code for this:
public static FacebookRequestData GetInviteHash()
{
string requestId = Request["request_ids"];
var accessToken = GetAccessToken(ConfigurationManager.AppSettings["FacebookAppId"], ConfigurationManager.AppSettings["FacebookSecret"]);
string response;
using (var webClient = new WebClient())
{
response = webClient.DownloadString(string.Format("https://graph.facebook.com/{0}?{1}", requestId, accessToken));
}
var javaScriptSerializer = new JavaScriptSerializer();
return javaScriptSerializer.Deserialize<FacebookRequestData>(javaScriptSerializer.Deserialize<FacebookRequestInfo>(response).data);
}
private static string GetAccessToken(string appId, string password)
{
using (var webClient = new WebClient())
{
return webClient.DownloadString(string.Format("https://graph.facebook.com/oauth/access_token?client_id={0}&client_secret={1}&grant_type=client_credentials", appId, password));
}
}
private class FacebookRequestInfo
{
public string data { get; set; }
}
FacebookRequestData - my custom class with structure of fields that I posted to fb earlier
Done it:
public static bool CheckInvite(string fromId, string toId)
{
var fb = new FacebookClient(APP_ID + "|" + SECRET_ID);
fb.AppId = APP_ID;
fb.AppSecret = SECRET_ID;
dynamic result = fb.Get(string.Format("/{0}/apprequests", toId));
foreach (var el in result.data)
if ((string)el.from.id == fromId)
{
DateTime dateTime = DateTime.Parse((string)el.created_time, CultureInfo.InvariantCulture);
if ((DateTime.Now - dateTime).TotalMinutes < 15)
{
return true;
}
}
return false;
}

Retrieve name of user from Active Directory

I am admittedly very new to AD. I have a dropdown list that I have bound with a list of members within our organization. My end goal is to find their manager name, but I'm starting with baby steps.
I've done enough searching to get the right result. I'm having a problem getting the right data (verified by using breakpoints etc) out of the result
private void cmbUserList_SelectedIndexChanged(object sender, EventArgs e)
{
var userName = cmbUserList.SelectedValue.ToString();
DirectorySearcher search = new DirectorySearcher();
search.Filter = String.Format("(cn={0})", userName);
search.PropertiesToLoad.Add("givenName");
SearchResult result = search.FindOne();
if (result != null)
{
// For now I'm trying to just retrieve their name
lblManagerName.Text = result.GetDirectoryEntry().Name;
}
}
EDIT: I'm using .net version 4.0
Could someone point me towards retrieving the correct name, and then maybe even a link or resources to pull the manager name?
I think the problem with your code is you are using "(cn={0})", userName. You need to pass fully qualified name like
CN=Doe,John,OU=Users,OU=Headquarters,DC=company,DC=net
If you only have login ID, then the code below should work
DirectorySearcher directorySearcher = new DirectorySearcher("LDAP://RootDSE");
directorySearcher.Filter = "sAMAccountName=" + acctName;
directorySearcher.PropertiesToLoad.Add("manager");
SearchResult searchResult = directorySearcher.FindOne();
if (searchResult != null)
DirectoryEntry user = searchResult.GetDirectoryEntry();
Note that acctName is Windows login ID. If you want to play with AD and check out vearious properties and how they are stored, try dsquery and dsget command line tools. The command below will return a user record based on login id and will display contents of the manager field:
dsquery user domainroot -samid "loginid" | dsget user -samid -mgr
helper class and enum
public enum ActiveDirectoryObjectClass
{
Computer,
User,
Domain,
Group,
}
public static class ActiveDirectorySearcher
{
public static string GetCurrentDomainName()
{
string result;
using (Domain domain = Domain.GetCurrentDomain())
{
result = domain.Name;
}
return result;
}
public static IEnumerable<T> Select<T>(
ActiveDirectoryObjectClass activeDirectoryObjectClass,
Func<DirectoryEntry, ActiveDirectoryObjectClass, bool> condition,
Func<DirectoryEntry, T> selector
)
{
List<T> list = new List<T>();
using (Domain domain = Domain.GetCurrentDomain())
using (DirectoryEntry root = domain.GetDirectoryEntry())
{
string filter = string.Format("(objectClass={0})", activeDirectoryObjectClass);
using (DirectorySearcher searcher = new DirectorySearcher(filter))
{
searcher.SearchRoot = root;
searcher.SearchScope = SearchScope.Subtree;
using (SearchResultCollection result = searcher.FindAll())
{
foreach (SearchResult item in result)
{
using (DirectoryEntry entry = item.GetDirectoryEntry())
{
if (condition(entry, activeDirectoryObjectClass))
{
list.Add(selector(entry));
}
}
}
}
}
}
return list;
}
}
how to use
public IEnumerable<User> GetUsers()
{
return ActiveDirectorySearcher.Select(
ActiveDirectoryObjectClass.User,
(entry, adObjectClass) => string.Compare(entry.SchemaClassName, adObjectClass.ToString(), StringComparison.InvariantCultureIgnoreCase) == 0,
_ => new User
{
Name = _.Name.Substring(3),
Domain = ActiveDirectorySearcher.GetCurrentDomainName(),
});
}
Note: User in sample - custom class with properties Name, Domain, etc.
to find name and/or manager name:
if (sResult != null)
{
string userName = sResult.Properties["name"][0].ToString();
string managerDN = sResult.Properties["manager"][0].ToString();
DirectoryEntry man = new DirectoryEntry("LDAP://server_name/"+managerDN);
string managerName = man.Properties["name"][0].ToString();
}
server_name can be just domain component of FQDN i.e yourcompany.com, that way it will find catalog server on its own via DNS.
Edit:
I also recomend Active Directory Explorer from Sysinternals. It is great tool for exploring and understanding structure of AD

Categories