Allow a way to mark all cookies as "HTTP only" and "SSL required" by default

[GrabYourPitchforks]

Basically, this would be an equivalent to the <httpCookies> element in Web.config:

<httpCookies domain="String" 
             httpOnlyCookies="true|false" 
             requireSSL="true|false" />

Allows marking all cookies with these flags regardless of how the CookieOptions object is constructed. More info at http://msdn.microsoft.com/en-us/library/ms228262(v=vs.100).aspx.

[blowdart]

And rename the "secure" cookie option as part of this.

[Eilon]

Removing @GrabYourPitchforks as the assignee 😄 (Unless you like, you know, really want to do it 😄 )

[Tratcher]

@blowdart in this case secure is appropriate because that's the actual text used in the cookie header.

[blowdart]

That doesn't make it true though.

[Tratcher]

Agreed, but we can't change the RFC. Renaming our APIS that set this value will just case confusion about what's being set.

[davidfowl]

Seems like this would be a feature of Hosting

[Tratcher]

Any proposals on how? High jacking the IResponseCookiesFeature?

[davidfowl]

I think so.

[SteveArr]

I would be interested in taking this on.

I am already doing some work with the Secure flag on cookies for aspnet/Session#28

[HaoK]

@blowdart how important is this for beta 6 (i.e. do we need this now?)

[blowdart]

It's a big security regression, so it would be really really nice to have as soon as possible, but I leave the exact release to your discretion. If you have time now, then please do now.

[HaoK]

Ok I will try to take a look this week

[Tratcher]

Preference for making this a middleware rather than embedding it in hosting.

[blowdart]

Added suggestion - why not change the cookie class to make cookies http only for default, and make them "secure" by default if the request is over https.

[HaoK]

Not going to happen for beta 6 at this point

[davidfowl]

@HaoK lets have a little design meeting before you tackle this.

[muratg]

@HaoK will you be able to look into this?

[HaoK]

UseCookiePolicy(new CookiePolicyOptions
{
  HttpOnly = HttpOnlyPolicy.None | Always
  Secure = SecurityPolicy.None | Always | SameAsRequest
  OnAppendCookie = ctx => 
  OnDeleteCookie = ctx => 

  AppendCookieContext ( HttpContext, CookieOption, CookieName, CookieValue)
  DeleteCookieContext ( HttpContext, CookieOption, CookieName)
});

[HaoK]

Test Map behavior

[HaoK]

Namespace: Microsoft.AspNet.CookiePolicy in security repo stand alone package.

[davidfowl]

This is nice!

[HaoK]

5cc1fea40045041f77a6bb2bd23e231e24f82da7

[mgolois]

@HaoK I just want to confirm. Im currently migrating code.

.net 4.5 mvc:
<httpCookies requireSSL="true" />

so in .net core mvc, it should be this:
services.ConfigureApplicationCookie(o => o.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always);

is that correct?

[Tratcher]

Comments on closed issues are not tracked, please open a new issue with the details for your scenario.