Merge pull request #4712 from thabaum/language-switcher-cookie

Fix #4710 - Adds language switcher component cookie set options for secure, httpOnly, sameSite + interop.cs/interop.js methods samesite and secure options
2024-10-14 14:41:18 -04:00 · 2024-10-14 14:41:18 -04:00 · 0e5b370ee8
commit 0e5b370ee8
parent f4fd4e28c9 f60f7a4dc1
6 changed files with 35 additions and 12 deletions
--- a/Oqtane.Client/Modules/Admin/Languages/Add.razor
+++ b/Oqtane.Client/Modules/Admin/Languages/Add.razor
@ -130,7 +130,7 @@ else
        {
            var interop = new Interop(JSRuntime);
            var localizationCookieValue = CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture));
-            await interop.SetCookie(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, 360);
+            await interop.SetCookie(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, 360, true, "Lax");
        }
    }

--- a/Oqtane.Client/Modules/Admin/Languages/Edit.razor
+++ b/Oqtane.Client/Modules/Admin/Languages/Edit.razor
@ -103,7 +103,7 @@ else
        {
            var interop = new Interop(JSRuntime);
            var localizationCookieValue = CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture));
-            await interop.SetCookie(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, 360);
+            await interop.SetCookie(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, 360, true, "Lax");
        }
    }

--- a/Oqtane.Client/Themes/Controls/Theme/LanguageSwitcher.razor
+++ b/Oqtane.Client/Themes/Controls/Theme/LanguageSwitcher.razor
@ -54,9 +54,18 @@
            if (_supportedCultures.Any(item => item.Name == culture))
            {
                var localizationCookieValue = CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture));
-                HttpContext.Response.Cookies.Append(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, new CookieOptions { Path = "/", Expires = DateTimeOffset.UtcNow.AddYears(365) });
+
+                HttpContext.Response.Cookies.Append(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, new CookieOptions
+                    {
+                        Path = "/",
+                        Expires = DateTimeOffset.UtcNow.AddYears(365),
+                        SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute
+                        Secure = true, // Ensure the cookie is only sent over HTTPS
+                        HttpOnly = true // Optional: Helps mitigate XSS attacks
+                    });
+
            }
-            NavigationManager.NavigateTo(NavigationManager.Uri.Replace($"?culture={culture}", ""), forceLoad: true);
+            NavigationManager.NavigateTo(NavigationManager.Uri.Replace($"?culture={culture}", ""), true);
        }
    }

@ -66,8 +75,8 @@
        {
            var localizationCookieValue = CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture));
            var interop = new Interop(JSRuntime);
-            await interop.SetCookie(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, 360);
-            NavigationManager.NavigateTo(NavigationManager.Uri, forceLoad: true);
+            await interop.SetCookie(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, 360, true, "Lax");
+            NavigationManager.NavigateTo(NavigationManager.Uri, true);
        }
    }
 }
--- a/Oqtane.Client/UI/Interop.cs
+++ b/Oqtane.Client/UI/Interop.cs
@ -16,13 +16,13 @@ namespace Oqtane.UI
            _jsRuntime = jsRuntime;
        }

-        public Task SetCookie(string name, string value, int days)
+        public Task SetCookie(string name, string value, int days, bool secure, string sameSite)
        {
            try
            {
                _jsRuntime.InvokeVoidAsync(
                    "Oqtane.Interop.setCookie",
-                    name, value, days);
+                    name, value, days, secure, sameSite);
                return Task.CompletedTask;
            }
            catch
--- a/Oqtane.Maui/wwwroot/js/interop.js
+++ b/Oqtane.Maui/wwwroot/js/interop.js
@ -1,11 +1,18 @@
 var Oqtane = Oqtane || {};

 Oqtane.Interop = {
-    setCookie: function (name, value, days) {
+    setCookie: function (name, value, days, secure, sameSite) {
        var d = new Date();
        d.setTime(d.getTime() + (days * 24 * 60 * 60 * 1000));
        var expires = "expires=" + d.toUTCString();
-        document.cookie = name + "=" + value + ";" + expires + ";path=/";
+        var cookieString = name + "=" + value + ";" + expires + ";path=/";
+        if (sameSite === "Lax" || sameSite === "Strict" || sameSite === "None") {
+            cookieString += `; SameSite=${sameSite}`;
+        }
+        if (secure) {
+            cookieString += "; Secure";
+        }
+        document.cookie = cookieString;
    },
    getCookie: function (name) {
        name = name + "=";
--- a/Oqtane.Server/wwwroot/js/interop.js
+++ b/Oqtane.Server/wwwroot/js/interop.js
@ -1,11 +1,18 @@
 var Oqtane = Oqtane || {};

 Oqtane.Interop = {
-    setCookie: function (name, value, days) {
+    setCookie: function (name, value, days, secure, sameSite) {
        var d = new Date();
        d.setTime(d.getTime() + (days * 24 * 60 * 60 * 1000));
        var expires = "expires=" + d.toUTCString();
-        document.cookie = name + "=" + value + ";" + expires + ";path=/";
+        var cookieString = name + "=" + value + ";" + expires + ";path=/";
+        if (sameSite === "Lax" || sameSite === "Strict" || sameSite === "None") {
+            cookieString += `; SameSite=${sameSite}`;
+        }
+        if (secure) {
+            cookieString += "; Secure";
+        }
+        document.cookie = cookieString;
    },
    getCookie: function (name) {
        name = name + "=";