Integrate FormsAuthenticationTicket encryption.

Add usage to test applications.

Author: Craig Boland

samples/TestImplementation.ReadCookie/Controllers/SecurityController.cs

@@ -2,15 +2,28 @@
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
+using Synercoding.FormsAuthentication;
 using System.Threading.Tasks;
 
 namespace TestImplementation.ReadCookie.Controllers
 {
     [Authorize]
     public class SecurityController : Controller
     {
+        private readonly FormsAuthenticationOptions _formsAuthenticationOptions;
+
+        public SecurityController(IOptions<FormsAuthenticationOptions> options)
+        {
+            _formsAuthenticationOptions = options.Value;
+        }
+
         public IActionResult Index()
         {
+            var authCryptor = new FormsAuthenticationCryptor(_formsAuthenticationOptions);
+            var ticket = authCryptor.Unprotect(Request.Cookies["TestCookie"]);
+            ViewData["TestCookie-UserData"] = ticket.UserData;
+
             return View();
         }
 

samples/TestImplementation.ReadCookie/Startup.cs

@@ -31,6 +31,9 @@ public void ConfigureServices(IServiceCollection services)
                 ValidationMethod = section.GetValue<ValidationMethod>("ValidationMethod"),
             };
 
+            // Enables injection of IOptions<FormsAuthenticationOptions>
+            services.Configure<FormsAuthenticationOptions>(section);
+
             services.AddAuthentication(options =>
                 {
                     options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;

samples/TestImplementation.ReadCookie/Views/Security/Index.cshtml

@@ -54,4 +54,7 @@
             </tr>
         }
     </tbody>
-</table>
+</table>
+
+<h3>Ticket User Data</h3>
+<div>@ViewData["TestCookie-UserData"]</div>

samples/TestImplementation.SetCookie/Controllers/LoginController.cs

@@ -1,4 +1,6 @@
-using System.Web.Mvc;
+using System;
+using System.Web;
+using System.Web.Mvc;
 using TestImplementation.SetCookie.Models;
 
 namespace TestImplementation.SetCookie.Controllers
@@ -19,6 +21,10 @@ public ActionResult Index(LoginVM model)
         {
             if (ModelState.IsValid)
             {
+                var ticket = new System.Web.Security.FormsAuthenticationTicket(1, "TestTicket", DateTime.Now, DateTime.Now.AddDays(1), true, "The answer is '42'.");
+                var encryptedTicket = System.Web.Security.FormsAuthentication.Encrypt(ticket);
+                Response.Cookies.Add(new HttpCookie("TestCookie", encryptedTicket));
+
                 System.Web.Security.FormsAuthentication.SetAuthCookie(model.UserName, true);
                 return Redirect(model.ReturnUrl);
             }

src/Synercoding.FormsAuthentication/FormsAuthenticationCryptor.cs

@@ -33,6 +33,20 @@ public string Protect(FormsAuthenticationCookie cookie)
             return CryptoUtil.BinaryToHex(protectedData);
         }
 
+        public string Protect(FormsAuthenticationTicket ticket)
+        {
+            if (ticket == null)
+                throw new ArgumentNullException(nameof(ticket));
+
+            var unprotectedData = FormsAuthenticationTicketSerializer.Serialize(ticket);
+
+            var cryptoProvider = AspNetCryptoServiceProvider.GetCryptoServiceProvider(_options);
+            var cryptoService = cryptoProvider.GetCryptoService();
+            byte[] protectedData = cryptoService.Protect(unprotectedData);
+
+            return CryptoUtil.BinaryToHex(protectedData);
+        }
+
         public FormsAuthenticationCookie Unprotect(string protectedText)
         {
             if (protectedText == null)
@@ -99,7 +113,7 @@ private FormsAuthenticationCookie ConvertToAuthenticationTicket(byte[] data)
                 byte footer = ticketReader.ReadByte();
                 if (footer != 0xFF)
                     throw new ArgumentException("The data is not in the correct format, footer byte must be 0xFF.", nameof(data));
-                
+
                 //create ticket
                 return new FormsAuthenticationCookie()
                 {

src/Synercoding.FormsAuthentication/FormsAuthenticationTicket.cs

@@ -10,12 +10,13 @@
  * Copyright (c) 1999 Microsoft Corporation
  */
 
-namespace System.Web.Security
+namespace Synercoding.FormsAuthentication
 {
     using System.Security.Principal;
     using System.Security.Permissions;
-    using System.Web.Configuration;
+    //using System.Web.Configuration;
     using System.Runtime.Serialization;
+    using System;
 
 
     /// <devdoc>
@@ -174,25 +175,25 @@ internal DateTime IssueDateUtc
         private DateTime _IssueDateUtc;
 
 
-        /// <devdoc>
-        ///    <para>This constructor creates a
-        ///       FormsAuthenticationTicket instance with explicit values.</para>
-        /// </devdoc>
-        public FormsAuthenticationTicket(int version,
-                                          String name,
-                                          DateTime issueDate,
-                                          DateTime expiration,
-                                          bool isPersistent,
-                                          String userData)
-        {
-            _Version = version;
-            _Name = name;
-            _Expiration = expiration;
-            _IssueDate = issueDate;
-            _IsPersistent = isPersistent;
-            _UserData = userData;
-            _CookiePath = FormsAuthentication.FormsCookiePath;
-        }
+        ///// <devdoc>
+        /////    <para>This constructor creates a
+        /////       FormsAuthenticationTicket instance with explicit values.</para>
+        ///// </devdoc>
+        //public FormsAuthenticationTicket(int version,
+        //                                  String name,
+        //                                  DateTime issueDate,
+        //                                  DateTime expiration,
+        //                                  bool isPersistent,
+        //                                  String userData)
+        //{
+        //    _Version = version;
+        //    _Name = name;
+        //    _Expiration = expiration;
+        //    _IssueDate = issueDate;
+        //    _IsPersistent = isPersistent;
+        //    _UserData = userData;
+        //    _CookiePath = FormsAuthentication.FormsCookiePath;
+        //}
 
 
         public FormsAuthenticationTicket(int version,
@@ -214,25 +215,25 @@ public FormsAuthenticationTicket(int version,
 
 
 
-        /// <devdoc>
-        ///    <para> This constructor creates
-        ///       a FormsAuthenticationTicket instance with the specified name and cookie durability,
-        ///       and default values for the other settings.</para>
-        /// </devdoc>
-        public FormsAuthenticationTicket(String name, bool isPersistent, Int32 timeout)
-        {
-            _Version = 2;
-            _Name = name;
-            _IssueDateUtcHasValue = true;
-            _IssueDateUtc = DateTime.UtcNow;
-            _IssueDate = DateTime.Now;
-            _IsPersistent = isPersistent;
-            _UserData = "";
-            _ExpirationUtcHasValue = true;
-            _ExpirationUtc = _IssueDateUtc.AddMinutes(timeout);
-            _Expiration = _IssueDate.AddMinutes(timeout);
-            _CookiePath = FormsAuthentication.FormsCookiePath;
-        }
+        ///// <devdoc>
+        /////    <para> This constructor creates
+        /////       a FormsAuthenticationTicket instance with the specified name and cookie durability,
+        /////       and default values for the other settings.</para>
+        ///// </devdoc>
+        //public FormsAuthenticationTicket(String name, bool isPersistent, Int32 timeout)
+        //{
+        //    _Version = 2;
+        //    _Name = name;
+        //    _IssueDateUtcHasValue = true;
+        //    _IssueDateUtc = DateTime.UtcNow;
+        //    _IssueDate = DateTime.Now;
+        //    _IsPersistent = isPersistent;
+        //    _UserData = "";
+        //    _ExpirationUtcHasValue = true;
+        //    _ExpirationUtc = _IssueDateUtc.AddMinutes(timeout);
+        //    _Expiration = _IssueDate.AddMinutes(timeout);
+        //    _CookiePath = FormsAuthentication.FormsCookiePath;
+        //}
 
         internal static FormsAuthenticationTicket FromUtc(int version, String name, DateTime issueDateUtc, DateTime expirationUtc, bool isPersistent, String userData, String cookiePath)
         {

src/Synercoding.FormsAuthentication/FormsAuthenticationTicketSerializer.cs

@@ -4,13 +4,14 @@
 // </copyright>
 //------------------------------------------------------------------------------
 
-namespace System.Web.Security
+namespace Synercoding.FormsAuthentication
 {
     using System;
+    using System.Diagnostics;
     using System.IO;
     using System.Security.Cryptography;
     using System.Text;
-    using System.Web.Util;
+    //using System.Web.Util;
 
     // A helper class which can serialize / deserialize FormsAuthenticationTicket instances.
     //