ResponseCookies.Delete() does not honor CookieOptions such as Secure or HttpOnly

[vladimirlapacek]

Delete() basically creates new CookieOptions that mutes the Secure and HttpOnly options. We have an HP security scan indicating that the cookie expiration call is insecure as it's not marking the OWIN OIDC nonce cookies expiration as Secure. I understand that this is not a real threat, but making the Delete() call consistent with the input CookieOptions would help people get rid of such problems.

[Tratcher]

OWIN
I'd be curious if any clients key on those fields, but I assume not or we'd have gotten more complaints by now. We can try passing those values through and see what happens with common browsers.

[vladimirlapacek]

Thanks for the quick response. Sounds great!

[muratg]

Moving this to Backlog as we will be in RC2 ask mode very soon. If you feel strongly about this issue, please ping me.