protect basket by manual manipulation of basket shop cookie (#609)

* protect basket by manual maipulation of basket shop cookie (get and set) * add diagram to explain issue 449
2021-11-01 17:28:01 +01:00
parent ed30f3dcc4
commit 47f69eb294
4 changed files with 65 additions and 13 deletions
--- a/src/Web/Pages/Basket/Index.cshtml.cs
+++ b/src/Web/Pages/Basket/Index.cshtml.cs
@@ -76,6 +76,7 @@ namespace Microsoft.eShopWeb.Web.Pages.Basket
            {
                GetOrSetBasketCookieAndUserName();
                BasketModel = await _basketViewModelService.GetOrCreateBasketForUser(_username);
+
            }
        }

@@ -84,6 +85,14 @@ namespace Microsoft.eShopWeb.Web.Pages.Basket
            if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
            {
                _username = Request.Cookies[Constants.BASKET_COOKIENAME];
+
+                if (!Request.HttpContext.User.Identity.IsAuthenticated)
+                {
+                    if (!Guid.TryParse(_username, out var _))
+                    {
+                        _username = null;
+                    }
+                }
            }
            if (_username != null) return;

--- a/src/Web/Pages/Shared/Components/BasketComponent/Basket.cs
+++ b/src/Web/Pages/Shared/Components/BasketComponent/Basket.cs
@@ -4,6 +4,7 @@ using Microsoft.eShopWeb.Infrastructure.Identity;
 using Microsoft.eShopWeb.Web.Interfaces;
 using Microsoft.eShopWeb.Web.Pages.Basket;
 using Microsoft.eShopWeb.Web.ViewModels;
+using System;
 using System.Linq;
 using System.Threading.Tasks;

@@ -34,16 +35,24 @@ namespace Microsoft.eShopWeb.Web.Pages.Shared.Components.BasketComponent
            {
                return await _basketService.GetOrCreateBasketForUser(User.Identity.Name);
            }
-            string anonymousId = GetBasketIdFromCookie();
-            if (anonymousId == null) return new BasketViewModel();
+
+            string anonymousId = GetAnnonymousIdFromCookie();
+            if (anonymousId == null)
+                return new BasketViewModel();
+
            return await _basketService.GetOrCreateBasketForUser(anonymousId);
        }

-        private string GetBasketIdFromCookie()
+        private string GetAnnonymousIdFromCookie()
        {
            if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
            {
-                return Request.Cookies[Constants.BASKET_COOKIENAME];
+                var id = Request.Cookies[Constants.BASKET_COOKIENAME];
+
+                if (Guid.TryParse(id, out var _))
+                {
+                    return id;
+                }
            }
            return null;
        }