From c82ac5e61f893090734c80e36c65562a175a20ef Mon Sep 17 00:00:00 2001 From: ryanbrandenburg Date: Wed, 4 Nov 2015 17:04:11 -0800 Subject: [PATCH] * Return old cookie token --- .../DefaultAntiforgery.cs | 12 +++-- .../DefaultAntiforgeryTest.cs | 47 ++++++++++++++++++- 2 files changed, 54 insertions(+), 5 deletions(-) diff --git a/src/Microsoft.AspNet.Antiforgery/DefaultAntiforgery.cs b/src/Microsoft.AspNet.Antiforgery/DefaultAntiforgery.cs index 98f6e49f84..a10370c334 100644 --- a/src/Microsoft.AspNet.Antiforgery/DefaultAntiforgery.cs +++ b/src/Microsoft.AspNet.Antiforgery/DefaultAntiforgery.cs @@ -67,7 +67,10 @@ namespace Microsoft.AspNet.Antiforgery CheckSSLConfig(context); var tokenSet = GetTokensInternal(context); - SaveCookieTokenAndHeader(context, tokenSet.CookieToken); + if (tokenSet.IsNewCookieToken) + { + SaveCookieTokenAndHeader(context, tokenSet.CookieToken); + } return Serialize(tokenSet); } @@ -226,8 +229,9 @@ namespace Microsoft.AspNet.Antiforgery return new AntiforgeryTokenSetInternal() { // Note : The new cookie would be null if the old cookie is valid. - CookieToken = newCookieToken, - FormToken = formToken + CookieToken = cookieToken, + FormToken = formToken, + IsNewCookieToken = newCookieToken != null }; } @@ -243,6 +247,8 @@ namespace Microsoft.AspNet.Antiforgery public AntiforgeryToken FormToken { get; set; } public AntiforgeryToken CookieToken { get; set; } + + public bool IsNewCookieToken { get; set; } } } } \ No newline at end of file diff --git a/test/Microsoft.AspNet.Antiforgery.Test/DefaultAntiforgeryTest.cs b/test/Microsoft.AspNet.Antiforgery.Test/DefaultAntiforgeryTest.cs index fe3c5387e1..59c45b919c 100644 --- a/test/Microsoft.AspNet.Antiforgery.Test/DefaultAntiforgeryTest.cs +++ b/test/Microsoft.AspNet.Antiforgery.Test/DefaultAntiforgeryTest.cs @@ -313,10 +313,51 @@ namespace Microsoft.AspNet.Antiforgery var tokenset = antiforgery.GetTokens(context.HttpContext); // Assert - Assert.Null(tokenset.CookieToken); + Assert.Equal("serialized-old-cookie-token", tokenset.CookieToken); Assert.Equal("serialized-form-token", tokenset.FormToken); } + [Fact] + public void GetAndStoreTokens_ExistingValidCookieToken_NotOverriden() + { + // Arrange + var context = CreateMockContext( + new AntiforgeryOptions(), + useOldCookie: true, + isOldCookieValid: true); + var antiforgery = GetAntiforgery(context); + + // Act + var tokenSet = antiforgery.GetAndStoreTokens(context.HttpContext); + + // Assert + // We shouldn't have saved the cookie because it already existed. + context.TokenStore.Verify(t => t.SaveCookieToken(It.IsAny(), It.IsAny()), Times.Never); + + Assert.Equal("serialized-old-cookie-token", tokenSet.CookieToken); + Assert.Equal("serialized-form-token", tokenSet.FormToken); + } + + [Fact] + public void GetAndStoreTokens_NoExistingCookieToken_Saved() + { + // Arrange + var context = CreateMockContext( + new AntiforgeryOptions(), + useOldCookie: false, + isOldCookieValid: false); + var antiforgery = GetAntiforgery(context); + + // Act + var tokenSet = antiforgery.GetAndStoreTokens(context.HttpContext); + + // Assert + context.TokenStore.Verify(t => t.SaveCookieToken(It.IsAny(), It.IsAny()), Times.Once); + + Assert.Equal("serialized-new-cookie-token", tokenSet.CookieToken); + Assert.Equal("serialized-form-token", tokenSet.FormToken); + } + [Fact] public void ValidateTokens_FromInvalidStrings_Throws() { @@ -533,6 +574,8 @@ namespace Microsoft.AspNet.Antiforgery .Returns(formToken); mockSerializer.Setup(o => o.Deserialize(testTokenSet.OldCookieTokenString)) .Returns(oldCookieToken); + mockSerializer.Setup(o => o.Serialize(oldCookieToken)) + .Returns(testTokenSet.OldCookieTokenString); mockSerializer.Setup(o => o.Serialize(newCookieToken)) .Returns(testTokenSet.NewCookieTokenString); return mockSerializer; @@ -549,7 +592,7 @@ namespace Microsoft.AspNet.Antiforgery var mockSerializer = GetTokenSerializer(testTokenSet); - var mockTokenStore = GetTokenStore(httpContext, testTokenSet); + var mockTokenStore = GetTokenStore(httpContext, testTokenSet, !useOldCookie); var mockGenerator = new Mock(MockBehavior.Strict); mockGenerator