RC2, seems like CookieAuthenticationOptions.CookieSecure does not work

[sadjadbp]

In RC2, seems like setting
CookieAuthenticationOptions.CookieSecure = CookieSecureOption.Always;

Does not work anymore. We cannot afford the default value SameAsRequest since we are behind a LoadBalancer that opens the SSL packets and sends us via HTTP. In RC1, the same code in our Startup.cs use to take care of it.

[Tratcher]

Please share the response headers.

[Tratcher]

Note that some load balancers will give you an x-forwarded-proto header to let you know the original scheme. Or if you know it will always be https you can hardcode it:

app.Use((context, next) =>
{
  context.Request.Scheme = "https";
  return next();
});

[sadjadbp]

@Tratcher our response header:

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Kestrel
Set-Cookie: .AspNetCore.Antiforgery.fU83vCg1Q3E=CfDJ8NPOhTB6To9Ll_bBm2FKytkgxg9VUwfHWRziRp9DWvXl8bTHLNvx_C8HbZm0jvnncV4Vis145gkZHuog6XvDac8_NgPITPv9ikBeGkLbg_5FG6maSHKGZzC9Bfm5O9FRIqQ9YFgUJDvZdUiC7T3bI24; path=/; httponly
Set-Cookie: .AspNetCore.Session=80b0f95b-49a4-9a09-ccf3-f6bbc8b6c8c6; domain=.eimmigration.com; path=/; httponly
X-Frame-Options: SAMEORIGIN
Date: Fri, 20 May 2016 22:10:46 GMT
Content-Length: 17290

[Tratcher]

That's session and anti-forgery, not CookieAuthentication. Were you intending to use Microsoft.AspNetCore.CookiePolicy?

[sadjadbp]

Oh sure, you are right! I've checked and that other cookie is set to secure. So what I'm looking for is

app.UseSession(new SessionOptions() { });

But there is no option for CookieSecure on that SessionOptions. Am I asking the right question under right Repro? Since my other question #832 is about how to make .AspNetCore.Antiforgery always secure.

[Tratcher]

aspnet/Session#106
For now use the CookiePolicy middleware, it can sit in front of the others and override their settings.

[Tratcher]

That said, you should really fix your request scheme rather than focusing on the cookie settings. For example aren't your links automatically generated using http instead of https?

[sadjadbp]

@Tratcher Thanks. Cookie middleware worked. But as I tested, using that Cookie middleware, works for .AspNetCore,Antiforgery and .AspNetCore.Session but won't work on AuthenticationCookie so I have to set that separately. Don't know if it is a bug or as intended.

[Tratcher]

A bug: #814

[sadjadbp]

Wow, you guys are super fast, super helpful. I'm getting my life's best tech support ever. Thanks again.

Q#2, as for the issue of load balancer you think that small middleware
app.Use((context, next) => { context.Request.Scheme = "https"; return next(); });

Would fix all these types of issues? I'm going to test it. Does it matter were I put in Startup::Configure

[Tratcher]

Yes it should help with these issues because many middleware inspect the scheme. Put it at the start so all it affects all requests.

Does your load balancer specify x-forwarded-for headers? In that case us the ForwardedHeaders middleware instead. https://github.com/aspnet/BasicMiddleware/blob/dev/samples/HttpOverridesSample/Startup.cs#L13

[Tratcher]

woops, x-forwarded-proto headers...

[sadjadbp]

@Tratcher good.

Not sure they said to use 'X-SSL-SessionId'. I'm going to check that X-Forwarded-Proto

Thanks again.

[sadjadbp]

One last question, any plans to add "same-site" setting on CookiePolicy middleware. I think I can do it now with OnAppendCookie event.

[Eilon]

Cookies by default only get sent back to the same domain. Can you clarify what you're asking about?

[sadjadbp]

@Eilon I'm asking about "same-site cookie attribute" something like
Set-Cookie: key=value; HttpOnly; SameSite=strict

[Eilon]

@blowdart @Tratcher ?

[Tratcher]

Ah, this draft? https://tools.ietf.org/html/draft-west-first-party-cookies-07? Maybe when the spec is finished.

[sadjadbp]

Thanks