ncoblentzsps/Session Fixation & Forms Authentication Token Termination in ASP.NET: CoupleSessionAndFormsAuth.cs

## Session Fixation & Forms Authentication Token Termination in ASP.NET: CoupleSessionAndFormsAuth.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using WebMatrix.WebData;
using System.Web.Routing;

namespace Mvc4WithAuthentication.Auth
{
    public class CoupleSessionAndFormsAuth : ActionFilterAttribute
    {
        /* Occurs before the controller action is executed
         * Verifies one of two sitations:
         *   1. If the user is authenticated, the username in the session matches the username in the forms authentication token
         *   2. If the user does not have a forms authentication token, their session should not include any identity information, like a username
         * If any of these cases are violated, then the user will be logged out, their session will be destoryed, and they will be redirected to the login page
         * The following conditions will allow the user to reach the controller action:
         *   1. They do not have a forms auth token, and their session does not contain identity information
         *   2. They have a forms auth token, their session contains an identity, and the usernames match in both the forms auth token and the session
         */
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            //Grab the username from the session. returns null or the username
            String username = (String)filterContext.HttpContext.Session["UserName"];

            if (!WebSecurity.Initialized)
            {
                //clear the session
                filterContext.HttpContext.Session.Abandon();
                //redirect to the login page if not already going there
                if (!(filterContext.Controller is AccountController && filterContext.ActionDescriptor.ActionName.ToLower() == "login"))
                {
                    filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } });
                }
            }
            //If the user is authenticated, compare the usernames in the session and forms auth cookie
            //WebSecurity.Initialized is true
            else if (WebSecurity.IsAuthenticated)
            {
                //Do the usernames match?
                if (username == null || username != WebSecurity.CurrentUserName)
                {
                    //If not, log the user out and clear their session
                    WebSecurity.Logout();
                    filterContext.HttpContext.Session.Abandon();
                    //redirect to the login page
                    filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } });
                }
            }
            //If the user is not authenticated, but the session contains a username
            //WebSecurity.Initialized is true
            //WebSecurity.IsAuthenticated is false
            else if (username != null)
            {
                //log the user out (just in case) and clear the session
                WebSecurity.Logout();
                filterContext.HttpContext.Session.Abandon();
                //redirect to the login page
                filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } });
            }

            base.OnActionExecuting(filterContext);
        }

    }
}
	using System;
	using System.Collections.Generic;
	using System.Linq;
	using System.Web;
	using System.Web.Mvc;
	using WebMatrix.WebData;
	using System.Web.Routing;

	namespace Mvc4WithAuthentication.Auth
	{
	public class CoupleSessionAndFormsAuth : ActionFilterAttribute
	{
	/* Occurs before the controller action is executed
	* Verifies one of two sitations:
	* 1. If the user is authenticated, the username in the session matches the username in the forms authentication token
	* 2. If the user does not have a forms authentication token, their session should not include any identity information, like a username
	* If any of these cases are violated, then the user will be logged out, their session will be destoryed, and they will be redirected to the login page
	* The following conditions will allow the user to reach the controller action:
	* 1. They do not have a forms auth token, and their session does not contain identity information
	* 2. They have a forms auth token, their session contains an identity, and the usernames match in both the forms auth token and the session
	*/
	public override void OnActionExecuting(ActionExecutingContext filterContext)
	{
	//Grab the username from the session. returns null or the username
	String username = (String)filterContext.HttpContext.Session["UserName"];

	if (!WebSecurity.Initialized)
	{
	//clear the session
	filterContext.HttpContext.Session.Abandon();
	//redirect to the login page if not already going there
	if (!(filterContext.Controller is AccountController && filterContext.ActionDescriptor.ActionName.ToLower() == "login"))
	{
	filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } });
	}
	}
	//If the user is authenticated, compare the usernames in the session and forms auth cookie
	//WebSecurity.Initialized is true
	else if (WebSecurity.IsAuthenticated)
	{
	//Do the usernames match?
	if (username == null \|\| username != WebSecurity.CurrentUserName)
	{
	//If not, log the user out and clear their session
	WebSecurity.Logout();
	filterContext.HttpContext.Session.Abandon();
	//redirect to the login page
	filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } });
	}
	}
	//If the user is not authenticated, but the session contains a username
	//WebSecurity.Initialized is true
	//WebSecurity.IsAuthenticated is false
	else if (username != null)
	{
	//log the user out (just in case) and clear the session
	WebSecurity.Logout();
	filterContext.HttpContext.Session.Abandon();
	//redirect to the login page
	filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } });
	}

	base.OnActionExecuting(filterContext);
	}

	}
	}