CookiePolicy middleware can't affect CookieAuthentication middleware

[analogrelay]

Because the CookieAuthentication middleware does it's own cookie-writing manually (see https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.Cookies/ChunkingCookieManager.cs), the CookiePolicy middleware can't affect it. This is easily seen by doing something like this in your Startup.cs

app.UseCookiePolicy(new CookiePolicyOptions()
{
    HttpOnly = HttpOnlyPolicy.Always
});

app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "MagicSignin",
    CookieHttpOnly = false,
    LoginPath = new PathString("/Account/Login"),
    AccessDeniedPath = new PathString("/Account/AccessDenied"),
    AutomaticAuthenticate = true,
    AutomaticChallenge = true
});

CookiePolicy works by replacing the IResponseCookiesFeature, but CookieAuth sets the header manually so it ignores the policy.

[brockallen]

Does this mean there are 2 different ways to emit cookies in ASP.NET Core then?

[Tratcher]

Sortof. HttpContext.Response.Cookies.Append and HttpContext.Response.Headers.Append can both be used to set a set-cookie header. Note you could also do this in Asp.Net 4. The difference between 4 and Core is that in Core the headers are the source of truth, where in 4 there was a cookies collection that would overwrite the headers just before sending the response.

[davidfowl]

This feels like something we should fix post RC2.

[analogrelay]

@davidfowl Agree entirely. It's a functional change, yes, but a fairly edge-case scenario and I agree it need not be a priority for RC2.