Cleans up the usages of auth cookies. OWIN is in charge of auth cookies but because we have Webforms, WebApi, MVC and OWIN, they all like to deal with cookies differently. OWIN should still be solely in charge of the auth cookies, so the auth extensions are cleaned up, the renewal now works by queuing the renewal and we have custom middleware detect if a force renewal has been queued and we renew the auth cookie there. Have obsoleted a few methods that should not be used that write auth tickets directly (this is purely for backwards compat with webforms). All of these changes now ensure that the auth cookie is renewed consistently between Webforms, WebApi, MVC and OWIN. Some changes also include ensuring that OWIN is used to sign out.
This commit is contained in:
Shannon
@@ -149,72 +149,7 @@ namespace Umbraco.Web
|
||||
#endregion
|
||||
|
||||
#region Methods
|
||||
|
||||
/// <summary>
|
||||
/// Determines if we should authenticate the request
|
||||
/// </summary>
|
||||
/// <param name="request"></param>
|
||||
/// <param name="originalRequestUrl"></param>
|
||||
/// <returns></returns>
|
||||
/// <remarks>
|
||||
/// We auth the request when:
|
||||
/// * it is a back office request
|
||||
/// * it is an installer request
|
||||
/// * it is a /base request
|
||||
/// * it is a preview request
|
||||
/// </remarks>
|
||||
internal static bool ShouldAuthenticateRequest(HttpRequestBase request, Uri originalRequestUrl)
|
||||
{
|
||||
if (//check back office
|
||||
request.Url.IsBackOfficeRequest(HttpRuntime.AppDomainAppVirtualPath)
|
||||
//check installer
|
||||
|| request.Url.IsInstallerRequest()
|
||||
//detect in preview
|
||||
|| (request.HasPreviewCookie() && request.Url != null && request.Url.AbsolutePath.StartsWith(IOHelper.ResolveUrl(SystemDirectories.Umbraco)) == false)
|
||||
//check for base
|
||||
|| BaseRest.BaseRestHandler.IsBaseRestRequest(originalRequestUrl))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
//private static readonly ConcurrentHashSet<string> IgnoreTicketRenewUrls = new ConcurrentHashSet<string>();
|
||||
///// <summary>
|
||||
///// Determines if the authentication ticket should be renewed with a new timeout
|
||||
///// </summary>
|
||||
///// <param name="url"></param>
|
||||
///// <param name="httpContext"></param>
|
||||
///// <returns></returns>
|
||||
///// <remarks>
|
||||
///// We do not want to renew the ticket when we are checking for the user's remaining timeout unless -
|
||||
///// UmbracoConfig.For.UmbracoSettings().Security.KeepUserLoggedIn == true
|
||||
///// </remarks>
|
||||
//internal static bool ShouldIgnoreTicketRenew(Uri url, HttpContextBase httpContext)
|
||||
//{
|
||||
// //this setting will renew the ticket for all requests.
|
||||
// if (UmbracoConfig.For.UmbracoSettings().Security.KeepUserLoggedIn)
|
||||
// {
|
||||
// return false;
|
||||
// }
|
||||
|
||||
// //initialize the ignore ticket urls - we don't need to lock this, it's concurrent and a hashset
|
||||
// // we don't want to have to gen the url each request so this will speed things up a teeny bit.
|
||||
// if (IgnoreTicketRenewUrls.Any() == false)
|
||||
// {
|
||||
// var urlHelper = new UrlHelper(new RequestContext(httpContext, new RouteData()));
|
||||
// var checkSessionUrl = urlHelper.GetUmbracoApiService<AuthenticationController>(controller => controller.GetRemainingTimeoutSeconds());
|
||||
// IgnoreTicketRenewUrls.Add(checkSessionUrl);
|
||||
// }
|
||||
|
||||
// if (IgnoreTicketRenewUrls.Any(x => url.AbsolutePath.StartsWith(x)))
|
||||
// {
|
||||
// return true;
|
||||
// }
|
||||
|
||||
// return false;
|
||||
//}
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Checks the current request and ensures that it is routable based on the structure of the request and URI
|
||||
/// </summary>
|
||||
|
||||
Reference in New Issue
Block a user