src/Umbraco.Web/Security/UmbracoBackOfficeCookieAuthOptions.cs

using System;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Umbraco.Core;
using Umbraco.Core.Cache;
using Umbraco.Core.Configuration;
using Umbraco.Core.Configuration.UmbracoSettings;
using Umbraco.Core.Hosting;
using Umbraco.Core.IO;

namespace Umbraco.Web.Security
{
    /// <summary>
    /// Umbraco auth cookie options
    /// </summary>
    public sealed class UmbracoBackOfficeCookieAuthOptions : CookieAuthenticationOptions
    {
        public int LoginTimeoutMinutes { get; }

        public UmbracoBackOfficeCookieAuthOptions(
            string[] explicitPaths,
            IUmbracoContextAccessor umbracoContextAccessor,
            ISecuritySettings securitySettings,
            IGlobalSettings globalSettings,
            IHostingEnvironment hostingEnvironment,
            IRuntimeState runtimeState,
            ISecureDataFormat<AuthenticationTicket> secureDataFormat,
            IRequestCache requestCache)
        {
            var secureDataFormat1 = secureDataFormat ?? throw new ArgumentNullException(nameof(secureDataFormat));
            LoginTimeoutMinutes = globalSettings.TimeOutInMinutes;
            AuthenticationType = Constants.Security.BackOfficeAuthenticationType;

            SlidingExpiration = true;
            ExpireTimeSpan = TimeSpan.FromMinutes(LoginTimeoutMinutes);
            CookieDomain = securitySettings.AuthCookieDomain;
            CookieName = securitySettings.AuthCookieName;
            CookieHttpOnly = true;
            CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest;
            CookiePath = "/";

            TicketDataFormat = new UmbracoSecureDataFormat(LoginTimeoutMinutes, secureDataFormat1);

            //Custom cookie manager so we can filter requests
            CookieManager = new BackOfficeCookieManager(umbracoContextAccessor, runtimeState, hostingEnvironment, globalSettings, requestCache, explicitPaths);
        }

        /// <summary>
        /// Creates the cookie options for saving the auth cookie
        /// </summary>
        /// <param name="ctx"></param>
        /// <param name="ticket"></param>
        /// <returns></returns>
        public CookieOptions CreateRequestCookieOptions(IOwinContext ctx, AuthenticationTicket ticket)
        {
            if (ctx == null) throw new ArgumentNullException(nameof(ctx));
            if (ticket == null) throw new ArgumentNullException(nameof(ticket));

            var issuedUtc = ticket.Properties.IssuedUtc ?? SystemClock.UtcNow;
            var expiresUtc = ticket.Properties.ExpiresUtc ?? issuedUtc.Add(ExpireTimeSpan);

            var cookieOptions = new CookieOptions
            {
                Path = "/",
                Domain = this.CookieDomain ?? null,
                HttpOnly = true,
                Secure = this.CookieSecure == CookieSecureOption.Always
                                         || (this.CookieSecure == CookieSecureOption.SameAsRequest && ctx.Request.IsSecure),
            };

            if (ticket.Properties.IsPersistent)
            {
                cookieOptions.Expires = expiresUtc.UtcDateTime;
            }

            return cookieOptions;
        }

    }
}
-												Fixes: U4-6723 User timeout in the back office is an issue with new ASP.Net identity implementation

											
										
										
											2015-06-18 19:16:49 +02:00
+								using System;
-												Ensures that written cookies are done so consistently based on the UmbracoBackOfficeCookieAuthOptions. Ensures that when a webforms page requests token renewal that the token is not always renewed for the request, it checks if the tokens expiry correctly and only renews when necessary so the cookie is not written each time. Fixes the ForceRenewalCookieAuthenticationHandler to only write a cookie if the request is for a request that is not normally auth'd (i.e. is a webforms form that exists outside the normal /umbraco path ... legacy).

											
										
										
											2015-11-27 16:25:39 +01:00
+								using Microsoft.Owin;
 								using Microsoft.Owin.Security;
-												Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.

											
										
										
											2015-02-06 13:47:00 +11:00
+								using Microsoft.Owin.Security.Cookies;
-												massively simplifies the cookie handling, we don't use our own and just use the defaults, the trick to not validating everything is to use the cookie path. This does mean that each clientside request will also be validated but there's no way to override this behavior in identity currently, the cookie handler is internal so unless we copy/paste all of it's code can't do much about that.

											
										
										
											2015-02-06 14:05:29 +11:00
+								using Umbraco.Core;
-												Replaced usages of HttpContext.Items with usages of IRequestCache

											
										
										
											2020-02-13 07:46:49 +01:00
+								using Umbraco.Core.Cache;
-												Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.

											
										
										
											2015-02-06 13:47:00 +11:00
+								using Umbraco.Core.Configuration;
 								using Umbraco.Core.Configuration.UmbracoSettings;
-												Huge IIOHelper cleanup, removes some overlap with IHostingEnvironment, much less usages of IIOHelper and instead just use what is already available on IHostingEnvironment

											
										
										
											2020-04-03 11:03:06 +11:00
+								using Umbraco.Core.Hosting;
-												Let IOHelper use IHostingEnvironment

											
										
										
											2019-12-04 14:03:39 +01:00
+								using Umbraco.Core.IO;
-												Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.

											
										
										
											2015-02-06 13:47:00 +11:00
-												Some refactoring to decouple web based assemblies from Umbraco.Core and move whatever we can to Umbraco.Web where web based assemblies are used. Decouples System.Drawing entirely from Umbraco.Core and removes the Active Directory dependency from Umbraco.core.

											
										
										
											2018-08-29 01:15:46 +10:00
+								namespace Umbraco.Web.Security
-												Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.

											
										
										
											2015-02-06 13:47:00 +11:00
+								{
 								    /// <summary>
 								    /// Umbraco auth cookie options
 								    /// </summary>
-												Renames a few things to shorten names

											
										
										
											2015-04-10 16:55:04 +10:00
+								    public sealed class UmbracoBackOfficeCookieAuthOptions : CookieAuthenticationOptions
-												Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.

											
										
										
											2015-02-06 13:47:00 +11:00
+								    {
-												Removes FormsAuthentication cookie format and replaces with standard aspnet identity format, removes a bunch of old obsolete and unused code, fixes the culture setting issue, simplifies the UmbracoBackOfficeIdentity since it no longer needs to be a FormsIdentity and just a straight forward ClaimsIdentity

											
										
										
											2018-04-05 23:10:51 +10:00
+								        public int LoginTimeoutMinutes { get; }
-												Move constants

											
										
										
											2019-11-05 12:54:22 +01:00
-												U4-7538 GetRemainingTimeoutSeconds is double setting the cookie in 7.4

											
										
										
											2015-12-15 16:44:03 +01:00
+								        public UmbracoBackOfficeCookieAuthOptions(
 								            string[] explicitPaths,
-												U4-8861 Extract GlobalSettings to an interface and expose on the standard UmbracoConfig.For settings singleton including a bunch of cleanup, getting the installer and steps to be DI

											
										
										
											2018-04-06 13:51:54 +10:00
+								            IUmbracoContextAccessor umbracoContextAccessor,
-												Cleaned up config for Security settings

											
										
										
											2020-03-12 14:36:25 +01:00
+								            ISecuritySettings securitySettings,
-												U4-8861 Extract GlobalSettings to an interface and expose on the standard UmbracoConfig.For settings singleton including a bunch of cleanup, getting the installer and steps to be DI

											
										
										
											2018-04-06 13:51:54 +10:00
+								            IGlobalSettings globalSettings,
-												Huge IIOHelper cleanup, removes some overlap with IHostingEnvironment, much less usages of IIOHelper and instead just use what is already available on IHostingEnvironment

											
										
										
											2020-04-03 11:03:06 +11:00
+								            IHostingEnvironment hostingEnvironment,
-												U4-8861 Extract GlobalSettings to an interface and expose on the standard UmbracoConfig.For settings singleton including a bunch of cleanup, getting the installer and steps to be DI

											
										
										
											2018-04-06 13:51:54 +10:00
+								            IRuntimeState runtimeState,
-												Let IOHelper use IHostingEnvironment

											
										
										
											2019-12-04 14:03:39 +01:00
+								            ISecureDataFormat<AuthenticationTicket> secureDataFormat,
-												Replaced usages of HttpContext.Items with usages of IRequestCache

											
										
										
											2020-02-13 07:46:49 +01:00
+								            IRequestCache requestCache)
-												U4-7538 GetRemainingTimeoutSeconds is double setting the cookie in 7.4

											
										
										
											2015-12-15 16:44:03 +01:00
+								        {
-												Removes FormsAuthentication cookie format and replaces with standard aspnet identity format, removes a bunch of old obsolete and unused code, fixes the culture setting issue, simplifies the UmbracoBackOfficeIdentity since it no longer needs to be a FormsIdentity and just a straight forward ClaimsIdentity

											
										
										
											2018-04-05 23:10:51 +10:00
+								            var secureDataFormat1 = secureDataFormat ?? throw new ArgumentNullException(nameof(secureDataFormat));
-												U4-8861 Extract GlobalSettings to an interface and expose on the standard UmbracoConfig.For settings singleton including a bunch of cleanup, getting the installer and steps to be DI

											
										
										
											2018-04-06 13:51:54 +10:00
+								            LoginTimeoutMinutes = globalSettings.TimeOutInMinutes;
-												Move constants

											
										
										
											2019-11-05 13:45:42 +01:00
+								            AuthenticationType = Constants.Security.BackOfficeAuthenticationType;
-												Move constants

											
										
										
											2019-11-05 12:54:22 +01:00
-												U4-7538 GetRemainingTimeoutSeconds is double setting the cookie in 7.4

											
										
										
											2015-12-15 16:44:03 +01:00
+								            SlidingExpiration = true;
 								            ExpireTimeSpan = TimeSpan.FromMinutes(LoginTimeoutMinutes);
-												Cleaned up config for Security settings

											
										
										
											2020-03-12 14:36:25 +01:00
+								            CookieDomain = securitySettings.AuthCookieDomain;
 								            CookieName = securitySettings.AuthCookieName;
-												U4-7538 GetRemainingTimeoutSeconds is double setting the cookie in 7.4

											
										
										
											2015-12-15 16:44:03 +01:00
+								            CookieHttpOnly = true;
-												U4-8861 Extract GlobalSettings to an interface and expose on the standard UmbracoConfig.For settings singleton including a bunch of cleanup, getting the installer and steps to be DI

											
										
										
											2018-04-06 13:51:54 +10:00
+								            CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest;
-												Normalize cr/lf/tab

											
										
										
											2017-07-20 11:21:28 +02:00
+								            CookiePath = "/";
-												U4-7538 GetRemainingTimeoutSeconds is double setting the cookie in 7.4

											
										
										
											2015-12-15 16:44:03 +01:00
-												Removes FormsAuthentication cookie format and replaces with standard aspnet identity format, removes a bunch of old obsolete and unused code, fixes the culture setting issue, simplifies the UmbracoBackOfficeIdentity since it no longer needs to be a FormsIdentity and just a straight forward ClaimsIdentity

											
										
										
											2018-04-05 23:10:51 +10:00
+								            TicketDataFormat = new UmbracoSecureDataFormat(LoginTimeoutMinutes, secureDataFormat1);
-												U4-7538 GetRemainingTimeoutSeconds is double setting the cookie in 7.4

											
										
										
											2015-12-15 16:44:03 +01:00
+								            //Custom cookie manager so we can filter requests
-												Huge IIOHelper cleanup, removes some overlap with IHostingEnvironment, much less usages of IIOHelper and instead just use what is already available on IHostingEnvironment

											
										
										
											2020-04-03 11:03:06 +11:00
+								            CookieManager = new BackOfficeCookieManager(umbracoContextAccessor, runtimeState, hostingEnvironment, globalSettings, requestCache, explicitPaths);
-												U4-7538 GetRemainingTimeoutSeconds is double setting the cookie in 7.4

											
										
										
											2015-12-15 16:44:03 +01:00
+								        }
-												Move constants

											
										
										
											2019-11-05 12:54:22 +01:00
-												U4-7538 GetRemainingTimeoutSeconds is double setting the cookie in 7.4

											
										
										
											2015-12-15 16:44:03 +01:00
+								        /// <summary>
 								        /// Creates the cookie options for saving the auth cookie
 								        /// </summary>
 								        /// <param name="ctx"></param>
 								        /// <param name="ticket"></param>
 								        /// <returns></returns>
-												Ensures that written cookies are done so consistently based on the UmbracoBackOfficeCookieAuthOptions. Ensures that when a webforms page requests token renewal that the token is not always renewed for the request, it checks if the tokens expiry correctly and only renews when necessary so the cookie is not written each time. Fixes the ForceRenewalCookieAuthenticationHandler to only write a cookie if the request is for a request that is not normally auth'd (i.e. is a webforms form that exists outside the normal /umbraco path ... legacy).

											
										
										
											2015-11-27 16:25:39 +01:00
+								        public CookieOptions CreateRequestCookieOptions(IOwinContext ctx, AuthenticationTicket ticket)
-												Merge remote-tracking branch 'origin/dev-v7' into 7.4.0

Conflicts:
	build/InstallGit.cmd
	build/UmbracoVersion.txt
	src/SolutionInfo.cs
	src/Umbraco.Core/Configuration/UmbracoVersion.cs
	src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
	src/Umbraco.Web.UI/Umbraco/config/lang/nb.xml
	src/Umbraco.Web/Editors/DataTypeValidateAttribute.cs
	src/Umbraco.Web/Security/Identity/UmbracoBackOfficeCookieAuthOptions.cs
	src/Umbraco.Web/WebServices/SaveFileController.cs

											
										
										
											2016-01-06 10:46:38 +01:00
+								        {
-												Removes FormsAuthentication cookie format and replaces with standard aspnet identity format, removes a bunch of old obsolete and unused code, fixes the culture setting issue, simplifies the UmbracoBackOfficeIdentity since it no longer needs to be a FormsIdentity and just a straight forward ClaimsIdentity

											
										
										
											2018-04-05 23:10:51 +10:00
+								            if (ctx == null) throw new ArgumentNullException(nameof(ctx));
 								            if (ticket == null) throw new ArgumentNullException(nameof(ticket));
-												Merge remote-tracking branch 'origin/dev-v7' into 7.4.0

Conflicts:
	build/InstallGit.cmd
	build/UmbracoVersion.txt
	src/SolutionInfo.cs
	src/Umbraco.Core/Configuration/UmbracoVersion.cs
	src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
	src/Umbraco.Web.UI/Umbraco/config/lang/nb.xml
	src/Umbraco.Web/Editors/DataTypeValidateAttribute.cs
	src/Umbraco.Web/Security/Identity/UmbracoBackOfficeCookieAuthOptions.cs
	src/Umbraco.Web/WebServices/SaveFileController.cs

											
										
										
											2016-01-06 10:46:38 +01:00
 								            var issuedUtc = ticket.Properties.IssuedUtc ?? SystemClock.UtcNow;
 								            var expiresUtc = ticket.Properties.ExpiresUtc ?? issuedUtc.Add(ExpireTimeSpan);
 								            var cookieOptions = new CookieOptions
 								            {
 								                Path = "/",
 								                Domain = this.CookieDomain ?? null,
 								                HttpOnly = true,
 								                Secure = this.CookieSecure == CookieSecureOption.Always
 								                                         || (this.CookieSecure == CookieSecureOption.SameAsRequest && ctx.Request.IsSecure),
 								            };
 								            if (ticket.Properties.IsPersistent)
 								            {
-												U4-7821 KeepUserLoggedIn with a long umbracoTimeOutInMinutes has logout issues

											
										
										
											2016-02-02 12:12:51 +01:00
+								                cookieOptions.Expires = expiresUtc.UtcDateTime;
-												Merge remote-tracking branch 'origin/dev-v7' into 7.4.0

Conflicts:
	build/InstallGit.cmd
	build/UmbracoVersion.txt
	src/SolutionInfo.cs
	src/Umbraco.Core/Configuration/UmbracoVersion.cs
	src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
	src/Umbraco.Web.UI/Umbraco/config/lang/nb.xml
	src/Umbraco.Web/Editors/DataTypeValidateAttribute.cs
	src/Umbraco.Web/Security/Identity/UmbracoBackOfficeCookieAuthOptions.cs
	src/Umbraco.Web/WebServices/SaveFileController.cs

											
										
										
											2016-01-06 10:46:38 +01:00
+								            }
 								            return cookieOptions;
 								        }
-												Normalize cr/lf/tab

											
										
										
											2017-07-20 11:21:28 +02:00
-												Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.

											
										
										
											2015-02-06 13:47:00 +11:00
+								    }
-												Normalize cr/lf/tab

											
										
										
											2017-07-20 11:21:28 +02:00
+								}