From c38030def28094889c46266c9d5d56579a18b552 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Thu, 16 Jan 2014 20:47:13 +1100
Subject: [PATCH] Fixes: U4-3855 Preview cookie should be a session cookie not
 persisted

---
 .../Configuration/UmbracoSettings.cs          |  2 +-
 src/Umbraco.Core/Constants-Web.cs             | 22 ++++++++++++
 .../Security/AuthenticationExtensions.cs      | 34 +++++++++++--------
 src/Umbraco.Core/Umbraco.Core.csproj          |  3 ++
 .../TestHelpers/FakeHttpContextFactory.cs     |  3 +-
 src/umbraco.businesslogic/StateHelper.cs      | 20 +++++++----
 6 files changed, 61 insertions(+), 23 deletions(-)
 create mode 100644 src/Umbraco.Core/Constants-Web.cs

diff --git a/src/Umbraco.Core/Configuration/UmbracoSettings.cs b/src/Umbraco.Core/Configuration/UmbracoSettings.cs
index 6b53540238..a6f81b593c 100644
--- a/src/Umbraco.Core/Configuration/UmbracoSettings.cs
+++ b/src/Umbraco.Core/Configuration/UmbracoSettings.cs
@@ -309,7 +309,7 @@ namespace Umbraco.Core.Configuration
                 {
                     return value;
                 }
-                return "UMB_UCONTEXT";
+                return Constants.Web.AuthCookieName;
             }
         }
 
diff --git a/src/Umbraco.Core/Constants-Web.cs b/src/Umbraco.Core/Constants-Web.cs
new file mode 100644
index 0000000000..83cb995eeb
--- /dev/null
+++ b/src/Umbraco.Core/Constants-Web.cs
@@ -0,0 +1,22 @@
+namespace Umbraco.Core
+{
+	public static partial class Constants
+	{		
+        /// <summary>
+        /// Defines the identifiers for Umbraco system nodes.
+        /// </summary>
+        public static class Web
+        {
+            /// <summary>
+            /// The preview cookie name
+            /// </summary>
+            public const string PreviewCookieName = "UMB_PREVIEW";
+
+            /// <summary>
+            /// The auth cookie name
+            /// </summary>
+            public const string AuthCookieName = "UMB_UCONTEXT";
+
+        }
+	}
+}
\ No newline at end of file
diff --git a/src/Umbraco.Core/Security/AuthenticationExtensions.cs b/src/Umbraco.Core/Security/AuthenticationExtensions.cs
index 87d09aecf5..306a385f61 100644
--- a/src/Umbraco.Core/Security/AuthenticationExtensions.cs
+++ b/src/Umbraco.Core/Security/AuthenticationExtensions.cs
@@ -99,21 +99,27 @@ namespace Umbraco.Core.Security
         /// <param name="cookieName"></param>
         private static void Logout(this HttpContextBase http, string cookieName)
         {
-            //remove from the request
-            http.Request.Cookies.Remove(cookieName);
+            //clear the preview cookie too
+            var cookies = new[] { cookieName, Constants.Web.PreviewCookieName };
+            foreach (var c in cookies)
+            {
+                //remove from the request
+                http.Request.Cookies.Remove(c);
+
+                //expire from the response
+                var formsCookie = http.Response.Cookies[c];
+                if (formsCookie != null)
+                {
+                    //this will expire immediately and be removed from the browser
+                    formsCookie.Expires = DateTime.Now.AddYears(-1);
+                }
+                else
+                {
+                    //ensure there's def an expired cookie
+                    http.Response.Cookies.Add(new HttpCookie(c) { Expires = DateTime.Now.AddYears(-1) });
+                }               
+            }            
 
-            //expire from the response
-            var formsCookie = http.Response.Cookies[cookieName];
-            if (formsCookie != null)
-            {
-                //this will expire immediately and be removed from the browser
-                formsCookie.Expires = DateTime.Now.AddYears(-1);
-            }
-            else
-            {
-                //ensure there's def an expired cookie
-                http.Response.Cookies.Add(new HttpCookie(cookieName) { Expires = DateTime.Now.AddYears(-1) });
-            }
         }
 
         /// <summary>
diff --git a/src/Umbraco.Core/Umbraco.Core.csproj b/src/Umbraco.Core/Umbraco.Core.csproj
index 90bf089d0f..09ab59e054 100644
--- a/src/Umbraco.Core/Umbraco.Core.csproj
+++ b/src/Umbraco.Core/Umbraco.Core.csproj
@@ -837,6 +837,9 @@
     <Compile Include="Constants-System.cs">
       <DependentUpon>Constants.cs</DependentUpon>
     </Compile>
+    <Compile Include="Constants-Web.cs">
+      <DependentUpon>Constants.cs</DependentUpon>
+    </Compile>
     <Compile Include="UpgradeableReadLock.cs" />
     <Compile Include="DelegateEqualityComparer.cs" />
     <Compile Include="Media\IEmbedProvider.cs" />
diff --git a/src/Umbraco.Tests/TestHelpers/FakeHttpContextFactory.cs b/src/Umbraco.Tests/TestHelpers/FakeHttpContextFactory.cs
index abb477d3c6..c7e7764512 100644
--- a/src/Umbraco.Tests/TestHelpers/FakeHttpContextFactory.cs
+++ b/src/Umbraco.Tests/TestHelpers/FakeHttpContextFactory.cs
@@ -7,6 +7,7 @@ using System.Text;
 using System.Web;
 using System.Web.Routing;
 using Moq;
+using Umbraco.Core;
 
 namespace Umbraco.Tests.TestHelpers
 {
@@ -59,7 +60,7 @@ namespace Umbraco.Tests.TestHelpers
 
             //Cookie collection
 		    var cookieCollection = new HttpCookieCollection();
-            cookieCollection.Add(new HttpCookie("UMB_UCONTEXT", "FBA996E7-D6BE-489B-B199-2B0F3D2DD826"));
+            cookieCollection.Add(new HttpCookie(Constants.Web.AuthCookieName, "FBA996E7-D6BE-489B-B199-2B0F3D2DD826"));
 
 		    //Request
             var requestMock = new Mock<HttpRequestBase>();
diff --git a/src/umbraco.businesslogic/StateHelper.cs b/src/umbraco.businesslogic/StateHelper.cs
index 387efd2ca3..d14031d7c1 100644
--- a/src/umbraco.businesslogic/StateHelper.cs
+++ b/src/umbraco.businesslogic/StateHelper.cs
@@ -2,6 +2,7 @@ using System;
 using System.Reflection;
 using System.Web;
 using System.Web.UI;
+using Umbraco.Core;
 
 namespace umbraco.BusinessLogic
 {
@@ -347,8 +348,8 @@ namespace umbraco.BusinessLogic
              * we currently reproduce this by configuring each cookie with a 30d expires, but does
              * that actually make sense? shouldn't some cookie have _no_ expires?
              */
-            static readonly Cookie _preview = new Cookie("UMB_PREVIEW", 30d); // was "PreviewSet"
-            static readonly Cookie _userContext = new Cookie("UMB_UCONTEXT", 30d); // was "UserContext"
+            static readonly Cookie _preview = new Cookie(Constants.Web.PreviewCookieName, TimeSpan.Zero); // was "PreviewSet"
+            static readonly Cookie _userContext = new Cookie(Constants.Web.AuthCookieName, 30d); // was "UserContext"
             static readonly Cookie _member = new Cookie("UMB_MEMBER", 30d); // was "umbracoMember"
 
             public static Cookie Preview { get { return _preview; } }
@@ -429,7 +430,7 @@ namespace umbraco.BusinessLogic
                 }
                 public void SetValue(string value)
                 {
-                    SetValueWithDate(value, DateTime.Now + _expires);
+                    SetValueWithDate(value, _expires == TimeSpan.Zero ? DateTime.MinValue : DateTime.Now + _expires);
                 }
 
                 public void SetValue(string value, double days)
@@ -439,7 +440,7 @@ namespace umbraco.BusinessLogic
 
                 public void SetValue(string value, TimeSpan expires)
                 {
-                    SetValue(value, DateTime.Now + expires);
+                    SetValue(value, expires == TimeSpan.Zero ? DateTime.MinValue : DateTime.Now + expires);
                 }
 
                 public void SetValue(string value, DateTime expires)
@@ -449,7 +450,7 @@ namespace umbraco.BusinessLogic
 
                 private void SetValueWithDate(string value, DateTime expires)
                 {
-                    HttpCookie cookie = new HttpCookie(_key, value);
+                    var cookie = new HttpCookie(_key, value);
 
                     if (GlobalSettings.UseSSL)
                         cookie.Secure = true;
@@ -457,7 +458,12 @@ namespace umbraco.BusinessLogic
                     //ensure http only, this should only be able to be accessed via the server
                     cookie.HttpOnly = true;
 
-                    cookie.Expires = expires;
+                    //set an expiry date if not min value, otherwise leave it as a session cookie.
+                    if (expires != DateTime.MinValue)
+                    {
+                        cookie.Expires = expires;    
+                    }
+                    
                     ResponseCookie = cookie;
 
                     // original Umbraco code also does this
@@ -471,7 +477,7 @@ namespace umbraco.BusinessLogic
                 {
                     if (RequestCookie != null || ResponseCookie != null)
                     {
-                        HttpCookie cookie = new HttpCookie(_key);
+                        var cookie = new HttpCookie(_key);
                         cookie.Expires = DateTime.Now.AddDays(-1);
                         ResponseCookie = cookie;
                     }