@@ -22,6 +22,7 @@ public CookieAuthenticationOptions()
2222 ReturnUrlParameter = CookieAuthenticationDefaults . ReturnUrlParameter ;
2323 ExpireTimeSpan = TimeSpan . FromDays ( 14 ) ;
2424 SlidingExpiration = true ;
25+ // To support OAuth authentication, a lax mode is required, see https://github.com/aspnet/Security/issues/1231.
2526 CookieSameSite = SameSiteMode . Lax ;
2627 CookieHttpOnly = true ;
2728 CookieSecure = CookieSecurePolicy . SameAsRequest ;
@@ -59,7 +60,7 @@ public string CookieName
5960
6061 /// <summary>
6162 /// Determines if the browser should allow the cookie to be attached to same-site or cross-site requests. The
62- /// default is Lax, which means the cookie is only allowed to be attached to cross-site requests using safe
63+ /// default is Lax, which means the cookie is only allowed to be attached to cross-site requests using safe
6364 /// HTTP methods and same-site requests.
6465 /// </summary>
6566 public SameSiteMode CookieSameSite { get ; set ; }
@@ -85,8 +86,8 @@ public string CookieName
8586
8687 /// <summary>
8788 /// Controls how much time the cookie will remain valid from the point it is created. The expiration
88- /// information is in the protected cookie ticket. Because of that an expired cookie will be ignored
89- /// even if it is passed to the server after the browser should have purged it
89+ /// information is in the protected cookie ticket. Because of that an expired cookie will be ignored
90+ /// even if it is passed to the server after the browser should have purged it
9091 /// </summary>
9192 public TimeSpan ExpireTimeSpan { get ; set ; }
9293
@@ -100,7 +101,7 @@ public string CookieName
100101 /// The LoginPath property informs the handler that it should change an outgoing 401 Unauthorized status
101102 /// code into a 302 redirection onto the given login path. The current url which generated the 401 is added
102103 /// to the LoginPath as a query string parameter named by the ReturnUrlParameter. Once a request to the
103- /// LoginPath grants a new SignIn identity, the ReturnUrlParameter value is used to redirect the browser back
104+ /// LoginPath grants a new SignIn identity, the ReturnUrlParameter value is used to redirect the browser back
104105 /// to the url which caused the original unauthorized status code.
105106 /// </summary>
106107 public PathString LoginPath { get ; set ; }
@@ -118,15 +119,15 @@ public string CookieName
118119
119120 /// <summary>
120121 /// The ReturnUrlParameter determines the name of the query string parameter which is appended by the handler
121- /// when a 401 Unauthorized status code is changed to a 302 redirect onto the login path. This is also the query
122- /// string parameter looked for when a request arrives on the login path or logout path, in order to return to the
122+ /// when a 401 Unauthorized status code is changed to a 302 redirect onto the login path. This is also the query
123+ /// string parameter looked for when a request arrives on the login path or logout path, in order to return to the
123124 /// original url after the action is performed.
124125 /// </summary>
125126 public string ReturnUrlParameter { get ; set ; }
126127
127128 /// <summary>
128129 /// The Provider may be assigned to an instance of an object created by the application at startup time. The handler
129- /// calls methods on the provider which give the application control at certain points where processing is occurring.
130+ /// calls methods on the provider which give the application control at certain points where processing is occurring.
130131 /// If it is not provided a default instance is supplied which does nothing when the methods are called.
131132 /// </summary>
132133 public new CookieAuthenticationEvents Events
0 commit comments