Created
July 9, 2013 20:49
-
-
Save jbubriski/5961145 to your computer and use it in GitHub Desktop.
An HTTP module that will strip the password from the POST parameters and replace it with the verification result.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Linq; | |
using System.Web; | |
using System.Web.Mvc; | |
using System.Web.Routing; | |
using System.Web.Security; | |
using Recaptcha; | |
namespace Controllers | |
{ | |
public class AccountController | |
{ | |
[HttpPost] | |
[AllowAnonymous] | |
[ValidateAntiForgeryToken] | |
[RecaptchaControlMvc.CaptchaValidator] | |
public ActionResult Login(LoginModel model, string returnUrl, bool captchaValid, string captchaErrorMessage) | |
{ | |
// Do all your other account verification steps... enabled, not locked, etc. | |
// ... | |
if (allThatOtherStuffPasses) | |
{ | |
// When the SecureDataModule HTTP Module runs it will validate the username and password against the database, and set a flag to true if the password is valid. | |
// Also, it the password parameter is garbage | |
// Check the HttpContext to see if the password was validated | |
var isPasswordValid = System.Web.HttpContext.Current.Items["IsPasswordValid"]; | |
if (isPasswordValid is bool && (bool)isPasswordValid) | |
{ | |
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); | |
LoggingService.LogEvent(model.UserName, SystemsEventType.Login); | |
return HandleLoginRedirect(returnUrl); | |
} | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Reflection; | |
using System.Web; | |
using System.Web.Helpers; | |
namespace Modules | |
{ | |
public class SecureDataModule : IHttpModule | |
{ | |
/// <summary> | |
/// You will need to configure this module in the web.config file of your | |
/// web and register it with IIS before being able to use it. For more information | |
/// see the following link: http://go.microsoft.com/?linkid=8101007 | |
/// </summary> | |
#region IHttpModule Members | |
public void Dispose() | |
{ | |
//clean-up code here. | |
} | |
public void Init(HttpApplication context) | |
{ | |
context.BeginRequest += context_BeginRequest; | |
} | |
#endregion | |
public void context_BeginRequest(object sender, EventArgs e) | |
{ | |
var application = (HttpApplication)sender; | |
var request = application.Context.Request; | |
var form = request.Form; | |
var formType = form.GetType(); | |
var property = formType.GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.IgnoreCase | BindingFlags.NonPublic | BindingFlags.FlattenHierarchy); | |
property.SetValue(form, false, null); | |
if (request.HttpMethod == "POST") | |
{ | |
var username = form["UserName"]; | |
var password = form["Password"]; | |
// We don't want the password in memory, set it to something random | |
form["Password"] = Guid.NewGuid().ToString(); | |
if (!string.IsNullOrWhiteSpace(username) && !string.IsNullOrWhiteSpace(password)) | |
{ | |
var user = Users.SingleOrDefault("WHERE UserName = @0", form["UserName"]); | |
if (user != null) | |
{ | |
var membershipUser = webpages_Membership.SingleOrDefault("WHERE UserId = @0", user.UserId); | |
if (membershipUser != null) | |
{ | |
HttpContext.Current.Items["IsPasswordValid"] = Crypto.VerifyHashedPassword(membershipUser.Password, password); | |
} | |
} | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment