Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cookies and ASP.NET Core

This might be a simple question, I'm hoping it is at least.

I've started to look into the Release Candidate of ASP.NET Core and I can see that a lot of the configuration has been moved out of the old web.config file and into JSON structured files (as well as XML and any other middleware that you might want to write yourself).
The one thing I haven't yet figured out how to do is something that was so simple in the old web.config approach, securing some of the basic components of your site like cookies.

Previously we'd set the secure, httpOnly and so on inside web.config and when it came to deployment a nice little transform file would modify the values for us and spit out the new file at the end. After reading round a bit, it seems that web.config is pretty much dead now, so how do we go about achieving the same results?

I know we can load different config files based on whether certain variables, such as environment, are set to DEV, STAGING, PRODUCTION etc. but this seems to be just replacing transforms with something that is a transform for all intents and purposes except in how it's actually loaded?

Have I missed something here or have I managed to work myself into a bit of a mess?

like image 785
Jak Hammond Avatar asked Mar 22 '16 22:03

Jak Hammond


People also ask

What are cookies in ASP.NET Core?

Cookies are represented as key-value pairs, and you can take advantage of the keys to read, write, or delete cookies. ASP.NET Core uses cookies to maintain session state; the cookie that contains the session ID is sent to the client with each request.

Does ASP.NET Core identity use cookies?

ASP.NET Core Identity is a complete, full-featured authentication provider for creating and maintaining logins. However, a cookie-based authentication provider without ASP.NET Core Identity can be used. For more information, see Introduction to Identity on ASP.NET Core.

Does ASP.NET use cookies?

By default, ASP.NET uses a non-persistent cookie to store the session state. However, if a user has disabled cookies on the browser, session state information cannot be stored in a cookie.

How to access cookies in core ASP NET?

In ASP.NET, we can access cookies using httpcontext.current but in ASP.NET Core, there is no htttpcontext.currently. In ASP.NET Core, everything is decoupled and modular.

Can I use a cookie-based authentication provider without ASP core identity?

ASP.NET Core Identity is a complete, full-featured authentication provider for creating and maintaining logins. However, a cookie-based authentication authentication provider without ASP.NET Core Identity can be used. For more information, see Introduction to Identity on ASP.NET Core. View or download sample code (how to download)

What is identity in ASP NET Core?

ASP.NET Core Identity is a complete, full-featured authentication provider for creating and maintaining logins. However, a cookie-based authentication authentication provider without ASP.NET Core Identity can be used. For more information, see Introduction to Identity on ASP.NET Core.

Which components need to decide if SameSite cookies are appropriate?

Each ASP.NET Core component that emits cookies needs to decide if SameSite is appropriate. ASP.NET Core Identity is largely unaffected by SameSite cookies except for advanced scenarios like IFrames or OpenIdConnect integration.


1 Answers

For a general cookie manually created within your application, you control the flags for security when creating it - for example:

Response.Cookies.Append(
    "COOKIE_NAME",
    "COOKIE_VALUE",
    new CookieOptions()
    {
        Path = "/",
        HttpOnly = false,
        Secure = false
    }
);

Here, setting HttpOnly to true would prevent client-side JS from accessing the cookie vlaue, and setting Secure to true would only allow the cookie to be served/received over HTTPS.

No defaults are applied when you add cookies to the response, as can be seen in the source code for the ResponseCookies class.

For the various middlewares that create and consume their own cookies (like the Session middleware that you have mentioned in your answer), they may have their own configuration options that will control these flags for those cookies they create themselves, but this will make no difference to cookies you create elsewhere in your application.

like image 124
Mark Hughes Avatar answered Oct 20 '22 21:10

Mark Hughes