huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

#106 Fix: Adds Secure Cookie flag and tests

This commit is contained in:
Justin Kotalik 2016-06-16 09:51:33 -07:00
parent 0112361557
commit 219ef7450b
3 changed files with 66 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/Microsoft.AspNetCore.Session/SessionMiddleware.cs
View File

@ -156,6 +156,14 @@ namespace Microsoft.AspNetCore.Session
HttpOnly = _options.CookieHttpOnly, HttpOnly = _options.CookieHttpOnly,
Path = _options.CookiePath ?? SessionDefaults.CookiePath, Path = _options.CookiePath ?? SessionDefaults.CookiePath,
}; };
if (_options.CookieSecure == CookieSecurePolicy.SameAsRequest)
{
cookieOptions.Secure = _context.Request.IsHttps;
}
else
{
cookieOptions.Secure = _options.CookieSecure == CookieSecurePolicy.Always;
}
_context.Response.Cookies.Append(_options.CookieName, _cookieValue, cookieOptions); _context.Response.Cookies.Append(_options.CookieName, _cookieValue, cookieOptions);

5
src/Microsoft.AspNetCore.Session/SessionOptions.cs
View File

@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System; using System;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Session; using Microsoft.AspNetCore.Session;
namespace Microsoft.AspNetCore.Builder namespace Microsoft.AspNetCore.Builder
@ -35,6 +36,10 @@ namespace Microsoft.AspNetCore.Builder
/// </summary> /// </summary>
public bool CookieHttpOnly { get; set; } = true; public bool CookieHttpOnly { get; set; } = true;
/// <summary>
/// Determines if the cookie should only be transmitted on HTTPS requests.
public CookieSecurePolicy CookieSecure { get; set; } = CookieSecurePolicy.None;
/// <summary> /// <summary>
/// The IdleTimeout indicates how long the session can be idle before its contents are abandoned. Each session access /// The IdleTimeout indicates how long the session can be idle before its contents are abandoned. Each session access
/// resets the timeout. Note this only applies to the content of the session, not the cookie. /// resets the timeout. Note this only applies to the content of the session, not the cookie.

53
test/Microsoft.AspNetCore.Session.Tests/SessionTests.cs
View File

@ -87,6 +87,59 @@ namespace Microsoft.AspNetCore.Session
} }
} }
[Theory]
[InlineData(CookieSecurePolicy.Always, "http://example.com/testpath", true)]
[InlineData(CookieSecurePolicy.Always, "https://example.com/testpath", true)]
[InlineData(CookieSecurePolicy.None, "http://example.com/testpath", false)]
[InlineData(CookieSecurePolicy.None, "https://example.com/testpath", false)]
[InlineData(CookieSecurePolicy.SameAsRequest, "http://example.com/testpath", false)]
[InlineData(CookieSecurePolicy.SameAsRequest, "https://example.com/testpath", true)]
public async Task SecureSessionBasedOnHttpsAndSecurePolicy(
CookieSecurePolicy cookieSecurePolicy,
string requestUri,
bool shouldBeSecureOnly)
{
var builder = new WebHostBuilder()
.Configure(app =>
{
app.UseSession(new SessionOptions
{
CookieName = "TestCookie",
CookieSecure = cookieSecurePolicy
});
app.Run(context =>
{
Assert.Null(context.Session.GetString("Key"));
context.Session.SetString("Key", "Value");
Assert.Equal("Value", context.Session.GetString("Key"));
return Task.FromResult(0);
});
})
.ConfigureServices(services =>
{
services.AddDistributedMemoryCache();
services.AddSession();
});
using (var server = new TestServer(builder))
{
var client = server.CreateClient();
var response = await client.GetAsync(requestUri);
response.EnsureSuccessStatusCode();
IEnumerable<string> values;
Assert.True(response.Headers.TryGetValues("Set-Cookie", out values));
Assert.Equal(1, values.Count());
if (shouldBeSecureOnly)
{
Assert.Contains("; secure", values.First());
}
else
{
Assert.DoesNotContain("; secure", values.First());
}
}
}
[Fact] [Fact]
public async Task SessionCanBeAccessedOnTheNextRequest() public async Task SessionCanBeAccessedOnTheNextRequest()
{ {