From 42b3fada3144fed68e5b20821d99c3684f1c3543 Mon Sep 17 00:00:00 2001
From: Hao Kung <HaoK@users.noreply.github.com>
Date: Tue, 2 Apr 2019 09:56:37 -0700
Subject: [PATCH] Add validation to ensure Cookie.Expiration is not set (#8967)

---
 .../Cookies/src/CookieExtensions.cs            |  1 +
 .../Authentication/test/CookieTests.cs         | 18 +++++++-----------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/src/Security/Authentication/Cookies/src/CookieExtensions.cs b/src/Security/Authentication/Cookies/src/CookieExtensions.cs
index 4c41f54a9c..7763e6a624 100644
--- a/src/Security/Authentication/Cookies/src/CookieExtensions.cs
+++ b/src/Security/Authentication/Cookies/src/CookieExtensions.cs
@@ -26,6 +26,7 @@ namespace Microsoft.Extensions.DependencyInjection
         public static AuthenticationBuilder AddCookie(this AuthenticationBuilder builder, string authenticationScheme, string displayName, Action<CookieAuthenticationOptions> configureOptions)
         {
             builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<CookieAuthenticationOptions>, PostConfigureCookieAuthenticationOptions>());
+            builder.Services.AddOptions<CookieAuthenticationOptions>(authenticationScheme).Validate(o => o.Cookie.Expiration == null, "Cookie.Expiration is ignored, use ExpireTimeSpan instead.");
             return builder.AddScheme<CookieAuthenticationOptions, CookieAuthenticationHandler>(authenticationScheme, displayName, configureOptions);
         }
     }
diff --git a/src/Security/Authentication/test/CookieTests.cs b/src/Security/Authentication/test/CookieTests.cs
index 504a264b41..4a72567844 100644
--- a/src/Security/Authentication/test/CookieTests.cs
+++ b/src/Security/Authentication/test/CookieTests.cs
@@ -17,6 +17,7 @@ using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.TestHost;
 using Microsoft.AspNetCore.Testing.xunit;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
 using Xunit;
 
 namespace Microsoft.AspNetCore.Authentication.Cookies
@@ -140,20 +141,15 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
         }
 
         [Fact]
-        public async Task CookieExpirationOptionIsIgnored()
+        public void SettingCookieExpirationOptionThrows()
         {
-            var server = CreateServerWithServices(s => s.AddAuthentication().AddCookie(o =>
+            var services = new ServiceCollection();
+            services.AddAuthentication().AddCookie(o =>
             {
-                o.Cookie.Name = "TestCookie";
-                // this is currently ignored. Users should set o.ExpireTimeSpan instead
                 o.Cookie.Expiration = TimeSpan.FromDays(10);
-            }), SignInAsAlice);
-
-            var transaction = await SendAsync(server, "http://example.com/testpath");
-
-            var setCookie = transaction.SetCookie;
-            Assert.StartsWith("TestCookie=", setCookie);
-            Assert.DoesNotContain("; expires=", setCookie);
+            });
+            var options = services.BuildServiceProvider().GetRequiredService<IOptionsMonitor<CookieAuthenticationOptions>>();
+            Assert.Throws<OptionsValidationException>(() => options.Get(CookieAuthenticationDefaults.AuthenticationScheme));
         }
 
         [Fact]