kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #4493 from thabaum/set-samesite-lax-visitor-culture-cookies

Browse Source 
Fix #4492: Updates Culture and Visitor cookies to use "Lax" SameSite and Secure Cookie Options
This commit is contained in:
Shaun Walker 2024-08-10 14:08:01 -04:00 committed by GitHub
commit 3054d33e62
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Oqtane.Server/Components/App.razor
View File

@ -429,7 +429,10 @@
new CookieOptions() new CookieOptions()
{ {
Expires = DateTimeOffset.UtcNow.AddYears(10), Expires = DateTimeOffset.UtcNow.AddYears(10),
IsEssential = true IsEssential = true,
SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute
Secure = true, // Ensure the cookie is only sent over HTTPS
HttpOnly = true // Optional: Helps mitigate XSS attacks
} }
); );
} }
@ -601,9 +604,19 @@
private void SetLocalizationCookie(string culture) private void SetLocalizationCookie(string culture)
{ {
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions
{
Expires = DateTimeOffset.UtcNow.AddYears(1),
SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute
Secure = true, // Ensure the cookie is only sent over HTTPS
HttpOnly = true // Optional: Helps mitigate XSS attacks
};
Context.Response.Cookies.Append( Context.Response.Cookies.Append(
CookieRequestCultureProvider.DefaultCookieName, CookieRequestCultureProvider.DefaultCookieName,
CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture))); CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture)),
cookieOptions
);
} }
private async Task<List<Resource>> GetPageResources(Alias alias, Site site, Page page, List<Module> modules, int moduleid, string action) private async Task<List<Resource>> GetPageResources(Alias alias, Site site, Page page, List<Module> modules, int moduleid, string action)

1
Oqtane.Server/Startup.cs
View File

@ -100,6 +100,7 @@ namespace Oqtane
options.Cookie.Name = Constants.AntiForgeryTokenCookieName; options.Cookie.Name = Constants.AntiForgeryTokenCookieName;
options.Cookie.SameSite = SameSiteMode.Strict; options.Cookie.SameSite = SameSiteMode.Strict;
options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
options.Cookie.HttpOnly = true;
}); });
services.AddIdentityCore<IdentityUser>(options => { }) services.AddIdentityCore<IdentityUser>(options => { })