React to SameSite addition to CookieOptions #141
Conversation
| { | ||
| HttpOnly = true, | ||
| Domain = _options.CookieDomain, | ||
| SameSite = SameSiteEnforcementMode.Strict |
There was a problem hiding this comment.
I am not familiar with this option, Let's have a conversation with @blowdart - we need to understand what should be the default and if this should be configurable.
There was a problem hiding this comment.
Spoke offline, I think this should remain as strict as we expect the cookie to be created by requests from the same site as subsequent requests. There's no need to make this configurable.
JunTaoLuo
force-pushed
the
johluo/samesite
branch
from
7f3be63 to
752996d
Compare
|
Updated based on @blowdart's recommendation to make this option configurable. This is ready to merge. |
|
Sorry, what's the reason for making this configurable? |
|
If we're going to make this configurable we should attach an |
JunTaoLuo
force-pushed
the
johluo/samesite
branch
from
752996d to
93399a3
Compare
| /// </summary> | ||
| public string CookieDomain { get; set; } | ||
| public Action<CookieOptions> ConfigureCookieOptions { get; set; } |
There was a problem hiding this comment.
This is now a breaking change that requires an announcement.
There was a problem hiding this comment.
Get @Eilon to sign off on the breaking change, I don't get to approve these
There was a problem hiding this comment.
Added him as a reviewer and will speak with him about the breaking change. Can you review the rest of the PR?
| @@ -80,6 +84,8 @@ public void SaveCookieToken(HttpContext httpContext, string token) | |||
| } | |||
| SetCookiePath(httpContext, options); | |||
|
|
|||
| _options.ConfigureCookieOptions?.Invoke(options); | |||
There was a problem hiding this comment.
I call the new ConfigureCookieOptions last after everything else is set. If we don't want users to be able to override Secure or Path on the CookieOptions, we can move this up, though I don't see why we might want that.
There was a problem hiding this comment.
Do we also want to configure the cookie path and secure in the delegate?
There was a problem hiding this comment.
Personally I think allowing you to set both is fine. RequireSSL is also enforced on the validation side, so if you mess it up, you'll just get a 400.
We should double check with @blowdart
There was a problem hiding this comment.
Consistency is good, but folks are already using the old way. I assume you don't want to remove the existing path, just add a way to set it here to?
There was a problem hiding this comment.
Yea, not changing the existing behaviour. Calling the configure delegate here allows the user to overwrite what we set but as @rynowak mentioned, they will be doing so at their own risk.
| @@ -364,7 +364,7 @@ public void SaveCookieToken_NonNullAntiforgeryOptionsCookieDomain_UsesOptionsCoo | |||
| .Returns("/index.html"); | |||
| var options = new AntiforgeryOptions(); | |||
| options.CookieName = _cookieName; | |||
| options.CookieDomain = expectedCookieDomain; | |||
| options.ConfigureCookieOptions = cookieOptions => cookieOptions.Domain = expectedCookieDomain; | |||
There was a problem hiding this comment.
Change the name of this test to reflect the change.
from me, let's get
| @@ -54,12 +54,21 @@ public string CookieName | |||
| public PathString? CookiePath { get; set; } | |||
There was a problem hiding this comment.
This should be obsolete too, it's redundant with ConfigureCookieOptions
| var options = new CookieOptions | ||
| { | ||
| HttpOnly = true, | ||
| Domain = null, |
There was a problem hiding this comment.
still use the obsolete domain property
| @@ -69,9 +69,13 @@ public void SaveCookieToken(HttpContext httpContext, string token) | |||
| Debug.Assert(httpContext != null); | |||
| Debug.Assert(token != null); | |||
|
|
|||
| var options = new CookieOptions(); | |||
| options.HttpOnly = true; | |||
| options.Domain = _options.CookieDomain; | |||
There was a problem hiding this comment.
We still need to use _options.CookieDomain - it's not being removed.
|
🆙📅 edit oops need to ignore obsolete errors |
| Domain = null, | ||
| SameSite = SameSiteMode.Strict | ||
| }; | ||
|
|
||
| // Note: don't use "newCookie.Secure = _options.RequireSSL;" since the default | ||
| // value of newCookie.Secure is populated out of band. | ||
| if (_options.RequireSsl) |
|
As per discussion with @Tratcher, we will probably adopt this approach for other components that duplicate settings on CookieOptions, potentially updating things like Session. Will file an issue in HttpAbstractions to track. Filed aspnet/HttpAbstractions#853. |
- allows configuration of CookieOptions such as SameSite without explicit duplication of the option on AntiforgeryOptions
JunTaoLuo
force-pushed
the
johluo/samesite
branch
from
2904563 to
5870fce
Compare
#127 We should be setting the default to strict?