Skip to content
This repository has been archived by the owner on Dec 13, 2018. It is now read-only.

Support for Cookie "SameSite" Flag #908

Closed
mariusschulz opened this issue Jul 20, 2016 · 6 comments
Closed

Support for Cookie "SameSite" Flag #908

mariusschulz opened this issue Jul 20, 2016 · 6 comments
Assignees
@JunTaoLuo
Labels
3 - Done enhancement
Milestone
2.0.0-preview2

Comments

@mariusschulz
Copy link

mariusschulz commented Jul 20, 2016
edited
Loading

Are there any plans to implement support for the cookie SameSite flag within the cookie authentication middleware? The flag helps mitigate CSRF attacks and is currently recognized by Chrome and Opera, and possibly more browsers soon.

I'm thinking about a new property on CookieAuthenticationOptions, as illustrated here:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    SameSite = SameSitePolicy.Always // or SameSitePolicy.None
    // ...
});

I think this feature has a very good cost-benefit ratio. The implementation should be relatively straightforward, and it wouldn't hurt to have an additional protection measure against CSRF besides antiforgery tokens.
@mariusschulz mariusschulz changed the title Support for "SameSite" flag Support for Cookie "SameSite" Flag Jul 20, 2016
@Eilon Eilon added this to the 1.1.0 milestone Jul 21, 2016
@Tratcher
Copy link
Member

This was previously discussed here: #831 (comment)

SameSite is still in draft form: https://tools.ietf.org/html/draft-west-first-party-cookies-07

We may add support for it when the spec is finished.

@Tratcher Tratcher removed this from the 1.1.0 milestone Jul 24, 2016
@Eilon Eilon added this to the Backlog milestone Jul 28, 2016
@Tratcher Tratcher removed this from the Backlog milestone Feb 21, 2017
@Tratcher
Copy link
Member

@blowdart has requested this be re-triaged.

@Tratcher
Copy link
Member

Depends on aspnet/HttpAbstractions#710

@Eilon Eilon added this to the 2.0.0-preview1 milestone Mar 2, 2017
@Eilon
Copy link
Member

Eilon commented Mar 2, 2017

Need to also make sure we update the Cookie Policy middleware to allow setting this.

@Eilon
Copy link
Member

Eilon commented Mar 2, 2017

And Security-related cookies from this repo, plus also Antiforgery cookies would have SameSite enabled by default. We'd have to evaluate all other cookies created by ASP.NET Core to see what they should have by default.

@Eilon Eilon mentioned this issue Mar 2, 2017
Closed
@Eilon
Copy link
Member

Eilon commented Mar 2, 2017

Antiforgery work tracked here: aspnet/Antiforgery#127

@Eilon Eilon modified the milestones: 2.0.0-preview1, 2.0.0-preview2 Apr 20, 2017
@JunTaoLuo JunTaoLuo self-assigned this May 19, 2017
@JunTaoLuo JunTaoLuo mentioned this issue May 19, 2017
Merged
@analogrelay analogrelay mentioned this issue May 24, 2017
Closed
@AlleSchonWeg AlleSchonWeg mentioned this issue Dec 22, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@JunTaoLuo JunTaoLuo

Labels
3 - Done enhancement
Projects
None yet
Milestone
2.0.0-preview2
Development

No branches or pull requests
4 participants
@Eilon @mariusschulz @Tratcher @JunTaoLuo