Add SameSitePolicy to CookiePolicyMiddleware

Author: JunTaoLuo

shared/Microsoft.AspNetCore.ChunkingCookieManager.Sources/ChunkingCookieManager.cs

@@ -33,7 +33,7 @@ internal class ChunkingCookieManager
         /// <summary>
         /// The default maximum size of characters in a cookie to send back to the client.
         /// </summary>
-        public const int DefaultChunkSize = 4070;
+        public const int DefaultChunkSize = 4050;
 
         private const string ChunkKeySuffix = "C";
         private const string ChunkCountPrefix = "chunks-";
@@ -42,7 +42,7 @@ public ChunkingCookieManager()
         {
             // Lowest common denominator. Safari has the lowest known limit (4093), and we leave little extra just in case.
             // See http://browsercookielimits.x64.me/.
-            // Leave at least 20 in case CookiePolicy tries to add 'secure' and/or 'httponly'.
+            // Leave at least 40 in case CookiePolicy tries to add 'secure', 'samesite=strict' and/or 'httponly'.
             ChunkSize = DefaultChunkSize;
             ThrowForPartialCookies = true;
         }
@@ -166,6 +166,7 @@ public void AppendResponseCookie(HttpContext context, string key, string value,
             {
                 Domain = options.Domain,
                 Expires = options.Expires,
+                SameSite = (Net.Http.Headers.SameSiteMode)options.SameSite,
                 HttpOnly = options.HttpOnly,
                 Path = options.Path,
                 Secure = options.Secure,
@@ -284,6 +285,7 @@ public void DeleteCookie(HttpContext context, string key, CookieOptions options)
                 {
                     Path = options.Path,
                     Domain = options.Domain,
+                    SameSite = options.SameSite,
                     Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc),
                 });
 
@@ -297,6 +299,7 @@ public void DeleteCookie(HttpContext context, string key, CookieOptions options)
                     {
                         Path = options.Path,
                         Domain = options.Domain,
+                        SameSite = options.SameSite,
                         Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc),
                     });
             }

src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs

@@ -179,6 +179,7 @@ private CookieOptions BuildCookieOptions()
             var cookieOptions = new CookieOptions
             {
                 Domain = Options.CookieDomain,
+                SameSite = Options.CookieSameSite,
                 HttpOnly = Options.CookieHttpOnly,
                 Path = Options.CookiePath ?? (OriginalPathBase.HasValue ? OriginalPathBase.ToString() : "/"),
             };

src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs

@@ -4,7 +4,6 @@
 using System;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Http;
-using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.Authentication.Cookies
 {
@@ -23,6 +22,7 @@ public CookieAuthenticationOptions()
             ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
             ExpireTimeSpan = TimeSpan.FromDays(14);
             SlidingExpiration = true;
+            CookieSameSite = SameSiteMode.Strict;
             CookieHttpOnly = true;
             CookieSecure = CookieSecurePolicy.SameAsRequest;
             Events = new CookieAuthenticationEvents();
@@ -57,6 +57,12 @@ public string CookieName
         /// </summary>
         public string CookiePath { get; set; }
 
+        /// <summary>
+        /// Determines if the browser should allow the cookie to be attached to same-site or cross-site requests. The
+        /// default is Strict, which means the cookie is only allowed to be attached to same-site requests.
+        /// </summary>
+        public SameSiteMode CookieSameSite { get; set; }
+
         /// <summary>
         /// Determines if the browser should allow the cookie to be accessed by client-side javascript. The
         /// default is true, which means the cookie will only be passed to http requests and is not made available

src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs

@@ -899,6 +899,7 @@ private void WriteNonceCookie(string nonce)
                 new CookieOptions
                 {
                     HttpOnly = true,
+                    SameSite = Http.SameSiteMode.Lax,
                     Secure = Request.IsHttps,
                     Expires = Clock.UtcNow.Add(Options.ProtocolValidator.NonceLifetime)
                 });
@@ -930,6 +931,7 @@ private string ReadNonceCookie(string nonce)
                             var cookieOptions = new CookieOptions
                             {
                                 HttpOnly = true,
+                                SameSite = Http.SameSiteMode.Lax,
                                 Secure = Request.IsHttps
                             };
 

src/Microsoft.AspNetCore.Authentication.Twitter/TwitterHandler.cs

@@ -83,6 +83,7 @@ protected override async Task<AuthenticateResult> HandleRemoteAuthenticateAsync(
             var cookieOptions = new CookieOptions
             {
                 HttpOnly = true,
+                SameSite = SameSiteMode.Lax,
                 Secure = Request.IsHttps
             };
 
@@ -160,6 +161,7 @@ protected override async Task HandleUnauthorizedAsync(ChallengeContext context)
             var cookieOptions = new CookieOptions
             {
                 HttpOnly = true,
+                SameSite = SameSiteMode.Lax,
                 Secure = Request.IsHttps,
                 Expires = Clock.UtcNow.Add(Options.RemoteAuthenticationTimeout),
             };

src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationHandler.cs

@@ -203,6 +203,7 @@ protected virtual void GenerateCorrelationId(AuthenticationProperties properties
             var cookieOptions = new CookieOptions
             {
                 HttpOnly = true,
+                SameSite = SameSiteMode.Lax,
                 Secure = Request.IsHttps,
                 Expires = Clock.UtcNow.Add(Options.RemoteAuthenticationTimeout),
             };
@@ -242,6 +243,7 @@ protected virtual bool ValidateCorrelationId(AuthenticationProperties properties
             var cookieOptions = new CookieOptions
             {
                 HttpOnly = true,
+                SameSite = SameSiteMode.Lax,
                 Secure = Request.IsHttps
             };
             Response.Cookies.Delete(cookieName, cookieOptions);

src/Microsoft.AspNetCore.CookiePolicy/CookiePolicyMiddleware.cs

@@ -74,7 +74,7 @@ public IResponseCookies Cookies
 
             private bool PolicyRequiresCookieOptions()
             {
-                return Policy.HttpOnly != HttpOnlyPolicy.None || Policy.Secure != CookieSecurePolicy.None;
+                return Policy.MinimumSameSitePolicy != SameSiteMode.None || Policy.HttpOnly != HttpOnlyPolicy.None || Policy.Secure != CookieSecurePolicy.None;
             }
 
             public void Append(string key, string value)
@@ -151,6 +151,22 @@ private void ApplyPolicy(CookieOptions options)
                     default:
                         throw new InvalidOperationException();
                 }
+                switch (Policy.MinimumSameSitePolicy)
+                {
+                    case SameSiteMode.None:
+                        break;
+                    case SameSiteMode.Lax:
+                        if (options.SameSite == SameSiteMode.None)
+                        {
+                            options.SameSite = SameSiteMode.Lax;
+                        }
+                        break;
+                    case SameSiteMode.Strict:
+                        options.SameSite = SameSiteMode.Strict;
+                        break;
+                    default:
+                        throw new InvalidOperationException($"Unrecognized {nameof(SameSiteMode)} value {Policy.MinimumSameSitePolicy.ToString()}");
+                }
                 switch (Policy.HttpOnly)
                 {
                     case HttpOnlyPolicy.Always:
@@ -159,7 +175,7 @@ private void ApplyPolicy(CookieOptions options)
                     case HttpOnlyPolicy.None:
                         break;
                     default:
-                        throw new InvalidOperationException();
+                        throw new InvalidOperationException($"Unrecognized {nameof(HttpOnlyPolicy)} value {Policy.HttpOnly.ToString()}");
                 }
             }
         }

src/Microsoft.AspNetCore.CookiePolicy/CookiePolicyOptions.cs

@@ -12,6 +12,11 @@ namespace Microsoft.AspNetCore.Builder
     /// </summary>
     public class CookiePolicyOptions
     {
+        /// <summary>
+        /// Affects the cookie's same site attribute.
+        /// </summary>
+        public SameSiteMode MinimumSameSitePolicy { get; set; } = SameSiteMode.Strict;
+
         /// <summary>
         /// Affects whether cookies must be HttpOnly.
         /// </summary>

test/Microsoft.AspNetCore.Authentication.Test/CookieTests.cs

@@ -136,6 +136,7 @@ public async Task SignInCausesDefaultCookieToBeCreated()
             Assert.StartsWith("TestCookie=", setCookie);
             Assert.Contains("; path=/", setCookie);
             Assert.Contains("; httponly", setCookie);
+            Assert.Contains("; samesite=", setCookie);
             Assert.DoesNotContain("; expires=", setCookie);
             Assert.DoesNotContain("; domain=", setCookie);
             Assert.DoesNotContain("; secure", setCookie);
@@ -206,6 +207,7 @@ public async Task CookieOptionsAlterSetCookieHeader()
                 o.CookiePath = "/foo";
                 o.CookieDomain = "another.com";
                 o.CookieSecure = CookieSecurePolicy.Always;
+                o.CookieSameSite = SameSiteMode.None;
                 o.CookieHttpOnly = true;
             }, SignInAsAlice, baseAddress: new Uri("http://example.com/base"));
 
@@ -217,12 +219,14 @@ public async Task CookieOptionsAlterSetCookieHeader()
             Assert.Contains(" path=/foo", setCookie1);
             Assert.Contains(" domain=another.com", setCookie1);
             Assert.Contains(" secure", setCookie1);
+            Assert.DoesNotContain(" samesite", setCookie1);
             Assert.Contains(" httponly", setCookie1);
 
             var server2 = CreateServer(o =>
             {
                 o.CookieName = "SecondCookie";
                 o.CookieSecure = CookieSecurePolicy.None;
+                o.CookieSameSite = SameSiteMode.Strict;
                 o.CookieHttpOnly = false;
             }, SignInAsAlice, baseAddress: new Uri("http://example.com/base"));
 
@@ -232,6 +236,7 @@ public async Task CookieOptionsAlterSetCookieHeader()
 
             Assert.Contains("SecondCookie=", setCookie2);
             Assert.Contains(" path=/base", setCookie2);
+            Assert.Contains(" samesite=strict", setCookie2);
             Assert.DoesNotContain(" domain=", setCookie2);
             Assert.DoesNotContain(" secure", setCookie2);
             Assert.DoesNotContain(" httponly", setCookie2);

test/Microsoft.AspNetCore.ChunkingCookieManager.Sources.Test/CookieChunkingTests.cs

@@ -18,7 +18,7 @@ public void AppendLargeCookie_Appended()
             new ChunkingCookieManager() { ChunkSize = null }.AppendResponseCookie(context, "TestCookie", testString, new CookieOptions());
             var values = context.Response.Headers["Set-Cookie"];
             Assert.Equal(1, values.Count);
-            Assert.Equal("TestCookie=" + testString + "; path=/", values[0]);
+            Assert.Equal("TestCookie=" + testString + "; path=/; samesite=lax", values[0]);
         }
 
         [Fact]
@@ -27,20 +27,20 @@ public void AppendLargeCookieWithLimit_Chunked()
             HttpContext context = new DefaultHttpContext();
 
             string testString = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
-            new ChunkingCookieManager() { ChunkSize = 30 }.AppendResponseCookie(context, "TestCookie", testString, new CookieOptions());
+            new ChunkingCookieManager() { ChunkSize = 44 }.AppendResponseCookie(context, "TestCookie", testString, new CookieOptions());
             var values = context.Response.Headers["Set-Cookie"];
             Assert.Equal(9, values.Count);
             Assert.Equal<string[]>(new[]
             {
-                "TestCookie=chunks-8; path=/",
-                "TestCookieC1=abcdefgh; path=/",
-                "TestCookieC2=ijklmnop; path=/",
-                "TestCookieC3=qrstuvwx; path=/",
-                "TestCookieC4=yz012345; path=/",
-                "TestCookieC5=6789ABCD; path=/",
-                "TestCookieC6=EFGHIJKL; path=/",
-                "TestCookieC7=MNOPQRST; path=/",
-                "TestCookieC8=UVWXYZ; path=/",
+                "TestCookie=chunks-8; path=/; samesite=lax",
+                "TestCookieC1=abcdefgh; path=/; samesite=lax",
+                "TestCookieC2=ijklmnop; path=/; samesite=lax",
+                "TestCookieC3=qrstuvwx; path=/; samesite=lax",
+                "TestCookieC4=yz012345; path=/; samesite=lax",
+                "TestCookieC5=6789ABCD; path=/; samesite=lax",
+                "TestCookieC6=EFGHIJKL; path=/; samesite=lax",
+                "TestCookieC7=MNOPQRST; path=/; samesite=lax",
+                "TestCookieC8=UVWXYZ; path=/; samesite=lax",
             }, values);
         }
 
@@ -116,14 +116,14 @@ public void DeleteChunkedCookieWithOptions_AllDeleted()
             Assert.Equal(8, cookies.Count);
             Assert.Equal(new[]
             {
-                "TestCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/",
-                "TestCookieC1=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/",
-                "TestCookieC2=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/",
-                "TestCookieC3=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/",
-                "TestCookieC4=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/",
-                "TestCookieC5=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/",
-                "TestCookieC6=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/",
-                "TestCookieC7=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/",
+                "TestCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
+                "TestCookieC1=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
+                "TestCookieC2=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
+                "TestCookieC3=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
+                "TestCookieC4=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
+                "TestCookieC5=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
+                "TestCookieC6=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
+                "TestCookieC7=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
             }, cookies);
         }
     }