public ActionResult HelpLogin() | |
{ | |
const string key = "abcdefghijklmnopqrtuvwxyz"; | |
const string pathTemplate = "http://demo.freshdesk.com/login/sso?name={0}&email={1}×tamp={2}&hash={3}"; | |
var username = UserHelper.CurrentUser.UserName; | |
var email = UserHelper.CurrentUser.Email; | |
string timems = (DateTime.UtcNow - new DateTime(1970, 1, 1)).TotalSeconds.ToString(); | |
var hash = GetHash(key, username, email, timems); | |
var path = String.Format(pathTemplate, Server.UrlEncode(username), Server.UrlEncode(email), timems, hash); | |
return Redirect(path); | |
} | |
private static string GetHash(string secret, string name, string email, string timems) | |
{ | |
string input = name + email + timems; | |
var keybytes = Encoding.Default.GetBytes(secret); | |
var inputBytes = Encoding.Default.GetBytes(input); | |
var crypto = new HMACMD5(keybytes); | |
byte[] hash = crypto.ComputeHash(inputBytes); | |
StringBuilder sb = new StringBuilder(); | |
foreach (byte b in hash) | |
{ | |
string hexValue = b.ToString("X").ToLower(); // Lowercase for compatibility on case-sensitive systems | |
sb.Append((hexValue.Length == 1 ? "0" : "") + hexValue); | |
} | |
return sb.ToString(); | |
} |
This comment has been minimized.
This comment has been minimized.
How do I set remote login url dynamically through code....for example if its abc.com then abc.support.com |
This comment has been minimized.
This comment has been minimized.
You should be using string input = name + secret + email + timems for the security fix specified. |
This comment has been minimized.
This comment has been minimized.
@kirandarisi That's how I read it as well. Freshdesk also has another example which has yet another order to the parameters in the package. And there are similar comments on that one as well as well as people complaining that the new format has issues with the timestamps. It's going to be an interesting couple of days as this all breaks. Edit: The question about timestamp is answered by this gist, but the point of the issue, that the timestamp epoch requirement is not well defined, is still relevant. |
This comment has been minimized.
This comment has been minimized.
Some other comments on the code. You are using the "X" as a format string for ToString() and then you are calling ToLower() when you could have just used "x" to get the lower-case hexadecimal value. You are also then creating a leading zero in the loop, when you could have just used a format string "x2" (hexadecimal padded with leading zeroes to a minimum length of 2). Here is some updated code (also adding the new hash requirement):
|
This comment has been minimized.
This comment has been minimized.
@42degrees Code looks good. Can you please update the code. I work @ Freshdesk couple of our KB articles are referring to this gist. It would be great if you can change them. |
This comment has been minimized.
This comment has been minimized.
@kirandarisi, I wish there was a way for me to change this gist but gist.github doesn't allow pull requests, the only choice is to fork it, which @darkpssngr has already done (using my code sample and others). darkpssngr's fork: https://gist.github.com/darkpssngr/726162ed0bd67ffdd616370c65a17e68 |
This comment has been minimized.
The GetHash function should use Encoding.UTF8 instead of Encoding.Default. This will prevent hash mismatches when dealing with special characters in usernames or email addresses.