#63 - Use the PathBase in the Cookie path by default.

This commit is contained in:
Chris Ross 2014-12-18 14:41:16 -08:00
parent 2d2eedf89e
commit 8b7d33baaf
3 changed files with 38 additions and 16 deletions

View File

@ -146,7 +146,7 @@ namespace Microsoft.AspNet.Security.Cookies
{ {
Domain = Options.CookieDomain, Domain = Options.CookieDomain,
HttpOnly = Options.CookieHttpOnly, HttpOnly = Options.CookieHttpOnly,
Path = Options.CookiePath ?? "/", Path = Options.CookiePath ?? (RequestPathBase.HasValue ? RequestPathBase.ToString() : "/"),
}; };
if (Options.CookieSecure == CookieSecureOption.SameAsRequest) if (Options.CookieSecure == CookieSecureOption.SameAsRequest)
{ {

View File

@ -24,7 +24,6 @@ namespace Microsoft.AspNet.Security.Cookies
{ {
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType; AuthenticationType = CookieAuthenticationDefaults.AuthenticationType;
ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter; ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
CookiePath = "/";
ExpireTimeSpan = TimeSpan.FromDays(14); ExpireTimeSpan = TimeSpan.FromDays(14);
SlidingExpiration = true; SlidingExpiration = true;
CookieHttpOnly = true; CookieHttpOnly = true;

View File

@ -137,21 +137,11 @@ namespace Microsoft.AspNet.Security.Cookies
options.CookieDomain = "another.com"; options.CookieDomain = "another.com";
options.CookieSecure = CookieSecureOption.Always; options.CookieSecure = CookieSecureOption.Always;
options.CookieHttpOnly = true; options.CookieHttpOnly = true;
}, SignInAsAlice); }, SignInAsAlice, new Uri("http://example.com/base"));
Transaction transaction1 = await SendAsync(server1, "http://example.com/testpath"); Transaction transaction1 = await SendAsync(server1, "http://example.com/base/testpath");
TestServer server2 = CreateServer(options =>
{
options.CookieName = "SecondCookie";
options.CookieSecure = CookieSecureOption.Never;
options.CookieHttpOnly = false;
}, SignInAsAlice);
Transaction transaction2 = await SendAsync(server2, "http://example.com/testpath");
string setCookie1 = transaction1.SetCookie; string setCookie1 = transaction1.SetCookie;
string setCookie2 = transaction2.SetCookie;
setCookie1.ShouldContain("TestCookie="); setCookie1.ShouldContain("TestCookie=");
setCookie1.ShouldContain(" path=/foo"); setCookie1.ShouldContain(" path=/foo");
@ -159,7 +149,19 @@ namespace Microsoft.AspNet.Security.Cookies
setCookie1.ShouldContain(" secure"); setCookie1.ShouldContain(" secure");
setCookie1.ShouldContain(" HttpOnly"); setCookie1.ShouldContain(" HttpOnly");
TestServer server2 = CreateServer(options =>
{
options.CookieName = "SecondCookie";
options.CookieSecure = CookieSecureOption.Never;
options.CookieHttpOnly = false;
}, SignInAsAlice, new Uri("http://example.com/base"));
Transaction transaction2 = await SendAsync(server2, "http://example.com/base/testpath");
string setCookie2 = transaction2.SetCookie;
setCookie2.ShouldContain("SecondCookie="); setCookie2.ShouldContain("SecondCookie=");
setCookie2.ShouldContain(" path=/base");
setCookie2.ShouldNotContain(" domain="); setCookie2.ShouldNotContain(" domain=");
setCookie2.ShouldNotContain(" secure"); setCookie2.ShouldNotContain(" secure");
setCookie2.ShouldNotContain(" HttpOnly"); setCookie2.ShouldNotContain(" HttpOnly");
@ -343,6 +345,25 @@ namespace Microsoft.AspNet.Security.Cookies
responded.Single().ShouldContain("\"location\""); responded.Single().ShouldContain("\"location\"");
} }
[Fact]
public async Task CookieUsesPathBaseByDefault()
{
var clock = new TestClock();
TestServer server = CreateServer(options =>
{
},
context =>
{
Assert.Equal(new PathString("/base"), context.Request.PathBase);
context.Response.SignIn(new ClaimsIdentity(new GenericIdentity("Alice", "Cookies")));
return Task.FromResult<object>(null);
},
new Uri("http://example.com/base"));
Transaction transaction1 = await SendAsync(server, "http://example.com/base/testpath");
Assert.True(transaction1.SetCookie.Contains("path=/base"));
}
private static string FindClaimValue(Transaction transaction, string claimType) private static string FindClaimValue(Transaction transaction, string claimType)
{ {
XElement claim = transaction.ResponseElement.Elements("claim").SingleOrDefault(elt => elt.Attribute("type").Value == claimType); XElement claim = transaction.ResponseElement.Elements("claim").SingleOrDefault(elt => elt.Attribute("type").Value == claimType);
@ -364,9 +385,9 @@ namespace Microsoft.AspNet.Security.Cookies
return me; return me;
} }
private static TestServer CreateServer(Action<CookieAuthenticationOptions> configureOptions, Func<HttpContext, Task> testpath = null) private static TestServer CreateServer(Action<CookieAuthenticationOptions> configureOptions, Func<HttpContext, Task> testpath = null, Uri baseAddress = null)
{ {
return TestServer.Create(app => var server = TestServer.Create(app =>
{ {
app.UseServices(services => services.AddDataProtection()); app.UseServices(services => services.AddDataProtection());
app.UseCookieAuthentication(configureOptions); app.UseCookieAuthentication(configureOptions);
@ -406,6 +427,8 @@ namespace Microsoft.AspNet.Security.Cookies
} }
}); });
}); });
server.BaseAddress = baseAddress;
return server;
} }
private static void Describe(HttpResponse res, AuthenticationResult result) private static void Describe(HttpResponse res, AuthenticationResult result)