From bd2153a0ed4cbfee326aa3d996f005bacdd94c9e Mon Sep 17 00:00:00 2001 From: Cody Date: Sat, 5 Oct 2024 13:23:09 -0700 Subject: [PATCH] Update cookie options to set SameSite, HttpOnly, Secure settings --- .../Themes/Controls/Theme/LanguageSwitcher.razor | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/Oqtane.Client/Themes/Controls/Theme/LanguageSwitcher.razor b/Oqtane.Client/Themes/Controls/Theme/LanguageSwitcher.razor index 38594fea..2af5f6ac 100644 --- a/Oqtane.Client/Themes/Controls/Theme/LanguageSwitcher.razor +++ b/Oqtane.Client/Themes/Controls/Theme/LanguageSwitcher.razor @@ -54,7 +54,16 @@ if (_supportedCultures.Any(item => item.Name == culture)) { var localizationCookieValue = CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture)); - HttpContext.Response.Cookies.Append(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, new CookieOptions { Path = "/", Expires = DateTimeOffset.UtcNow.AddYears(365) }); + + HttpContext.Response.Cookies.Append(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, new CookieOptions + { + Path = "/", + Expires = DateTimeOffset.UtcNow.AddYears(365), + SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute + Secure = true, // Ensure the cookie is only sent over HTTPS + HttpOnly = true // Optional: Helps mitigate XSS attacks + }); + } NavigationManager.NavigateTo(NavigationManager.Uri.Replace($"?culture={culture}", ""), true); } @@ -66,7 +75,7 @@ { var localizationCookieValue = CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture)); var interop = new Interop(JSRuntime); - await interop.SetCookie(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, 360); + await interop.SetCookie(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, 360, true, true, "Lax"); NavigationManager.NavigateTo(NavigationManager.Uri, true); } }