#390 Make the nonce cookie expire.

This commit is contained in:
Chris R 2015-09-03 17:54:09 -07:00
parent 5bc13cbd6b
commit 9f7a723843
3 changed files with 8 additions and 2 deletions

View File

@ -666,7 +666,8 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
new CookieOptions new CookieOptions
{ {
HttpOnly = true, HttpOnly = true,
Secure = Request.IsHttps Secure = Request.IsHttps,
Expires = DateTime.UtcNow + Options.ProtocolValidator.NonceLifetime
}); });
} }

View File

@ -169,7 +169,11 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
/// is valid per: http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation /// is valid per: http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
/// </summary> /// </summary>
/// <exception cref="ArgumentNullException">if 'value' is null.</exception> /// <exception cref="ArgumentNullException">if 'value' is null.</exception>
public OpenIdConnectProtocolValidator ProtocolValidator { get; set; } = new OpenIdConnectProtocolValidator { RequireState = false }; public OpenIdConnectProtocolValidator ProtocolValidator { get; set; } = new OpenIdConnectProtocolValidator()
{
RequireState = false,
NonceLifetime = TimeSpan.FromMinutes(15)
};
/// <summary> /// <summary>
/// Gets or sets the 'post_logout_redirect_uri' /// Gets or sets the 'post_logout_redirect_uri'

View File

@ -83,6 +83,7 @@ namespace Microsoft.AspNet.Authentication.Tests.OpenIdConnect
}); });
var transaction = await SendAsync(server, DefaultHost + Challenge); var transaction = await SendAsync(server, DefaultHost + Challenge);
transaction.SetCookie.Single().ShouldContain(OpenIdConnectAuthenticationDefaults.CookieNoncePrefix); transaction.SetCookie.Single().ShouldContain(OpenIdConnectAuthenticationDefaults.CookieNoncePrefix);
transaction.SetCookie.Single().ShouldContain("Expires");
} }
[Fact] [Fact]