Skip to content

Please respect HttpOnly / Secure options in SignOut cookie #234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
i4rilu opened this issue Oct 10, 2018 · 4 comments · Fixed by #308
Closed

Please respect HttpOnly / Secure options in SignOut cookie #234

i4rilu opened this issue Oct 10, 2018 · 4 comments · Fixed by #308
Assignees
@Tratcher
Labels
3 - Done
Milestone
4.1.0

Comments

@i4rilu
Copy link

i4rilu commented Oct 10, 2018

AspNetKatana/src/Microsoft.Owin/Infrastructure/ChunkingCookieManager.cs

Line 276 in e2b18ec

new CookieOptions

AspNetKatana/src/Microsoft.Owin/Infrastructure/ChunkingCookieManager.cs

Line 289 in e2b18ec

new CookieOptions

Please respect HttpOnly / Secure options when constructing SignOut cookie.

new CookieOptions
{
   Path = options.Path,
   Domain = options.Domain,
   Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc),
   HttpOnly = options.HttpOnly,
   Secure = options.Secure,
});
@Tratcher
Copy link
Member

These options do not apply to signout cookies, the cookie is being deleted. Was this affecting a real client or was it only flagged by some automation?

@i4rilu
Copy link
Author

i4rilu commented Oct 11, 2018

This was flagged during the compliance scanning.
If options do not apply to signout cookie - it would be great to have more control on signout cookie in ChunkingCookieManager.
Current approach is just to copy-paste whole DeleteCookie() method.
Thank you!

@jesperkristensen
Copy link

I have changed my authentication cookie name to have the __Host- prefix to ensure cookie integrity. Now the cookie is not deleted when SignOut() is called.

The following response header is sent, but the browser ignores it because it is missing the Secure flag:
Set-Cookie: __Host-.AspNet.Cookies=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

(Tested in latest Firefox and Chrome)

@jesperkristensen
Copy link

I found this workaround:

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            CookieName = "__Host-.AspNet.Cookies",
            CookieManager = new FixedCookieManager(),
        });


public class FixedCookieManager : ChunkingCookieManager, ICookieManager
{
    public new void DeleteCookie(IOwinContext context, string key, CookieOptions options)
    {
        options.Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
        AppendResponseCookie(context, key, "", options);
    }
}

@muratg muratg added this to the Discussions milestone Oct 31, 2018
@Tratcher Tratcher mentioned this issue Sep 15, 2019
Merged
@Tratcher Tratcher self-assigned this Sep 15, 2019
@Tratcher Tratcher modified the milestones: Discussions, 4.0.2 Sep 15, 2019
@ghost ghost locked as resolved and limited conversation to collaborators Jan 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Tratcher Tratcher

Labels
3 - Done
Projects
None yet
Milestone
4.1.0
Development

Successfully merging a pull request may close this issue.

Use SameSite everywhere aspnet/AspNetKatana
4 participants
@jesperkristensen @muratg @Tratcher @i4rilu