From 331ff2404dcf54b5d7a4dc5caed237fdb5c67788 Mon Sep 17 00:00:00 2001 From: Brennan Date: Thu, 25 Jul 2019 17:42:23 -0700 Subject: [PATCH] Send HttpOnly (if applicable) when deleting cookies (#12593) --- .../Authentication/test/WsFederation/WsFederationTest.cs | 2 +- src/Shared/ChunkingCookieManager/ChunkingCookieManager.cs | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Security/Authentication/test/WsFederation/WsFederationTest.cs b/src/Security/Authentication/test/WsFederation/WsFederationTest.cs index bc1ef757f1..6cc25f6dd5 100644 --- a/src/Security/Authentication/test/WsFederation/WsFederationTest.cs +++ b/src/Security/Authentication/test/WsFederation/WsFederationTest.cs @@ -190,7 +190,7 @@ namespace Microsoft.AspNetCore.Authentication.WsFederation response.EnsureSuccessStatusCode(); var cookie = response.Headers.GetValues(HeaderNames.SetCookie).Single(); - Assert.Equal(".AspNetCore.Cookies=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax", cookie); + Assert.Equal(".AspNetCore.Cookies=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax; httponly", cookie); Assert.Equal("OnRemoteSignOut", response.Headers.GetValues("EventHeader").Single()); Assert.Equal("", await response.Content.ReadAsStringAsync()); } diff --git a/src/Shared/ChunkingCookieManager/ChunkingCookieManager.cs b/src/Shared/ChunkingCookieManager/ChunkingCookieManager.cs index 0df694392a..4f1700bb77 100644 --- a/src/Shared/ChunkingCookieManager/ChunkingCookieManager.cs +++ b/src/Shared/ChunkingCookieManager/ChunkingCookieManager.cs @@ -289,6 +289,7 @@ namespace Microsoft.AspNetCore.Internal Secure = options.Secure, IsEssential = options.IsEssential, Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc), + HttpOnly = options.HttpOnly, }); for (int i = 1; i <= chunks; i++) @@ -305,6 +306,7 @@ namespace Microsoft.AspNetCore.Internal Secure = options.Secure, IsEssential = options.IsEssential, Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc), + HttpOnly = options.HttpOnly, }); } }