Updates Culture and Visitor cookies to use "Lax" SameSite and Secure cookie options

2024-08-07 11:52:53 -07:00 · 2024-08-07 11:52:53 -07:00 · ffa0ca9379
commit ffa0ca9379
parent b4506f1133
1 changed files with 15 additions and 2 deletions
--- a/Oqtane.Server/Components/App.razor
+++ b/Oqtane.Server/Components/App.razor
@ -429,7 +429,10 @@
                    new CookieOptions()
                    {
                        Expires = DateTimeOffset.UtcNow.AddYears(10),
-                        IsEssential = true
+                        IsEssential = true,
+                        SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute
+                        Secure = true, // Ensure the cookie is only sent over HTTPS
+                        HttpOnly = true // Optional: Helps mitigate XSS attacks
                    }
                );
            }
@ -601,9 +604,19 @@

    private void SetLocalizationCookie(string culture)
    {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions
+        {
+            Expires = DateTimeOffset.UtcNow.AddYears(1),
+            SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute
+            Secure = true, // Ensure the cookie is only sent over HTTPS
+            HttpOnly = true // Optional: Helps mitigate XSS attacks
+        };
+
        Context.Response.Cookies.Append(
            CookieRequestCultureProvider.DefaultCookieName,
-            CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture)));
+            CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture)),
+            cookieOptions
+        );
    }

    private async Task<List<Resource>> GetPageResources(Alias alias, Site site, Page page, List<Module> modules, int moduleid, string action)