[Fixes #101] Cookie path is always / in IIS

This commit is contained in:
Kiran Challa 2016-09-01 09:54:10 -07:00
parent c3476cf327
commit ad90db343c
2 changed files with 44 additions and 5 deletions

View File

@ -69,8 +69,9 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
Debug.Assert(httpContext != null); Debug.Assert(httpContext != null);
Debug.Assert(token != null); Debug.Assert(token != null);
var options = new CookieOptions() { HttpOnly = true }; var options = new CookieOptions();
options.HttpOnly = true;
options.Path = httpContext.Request.PathBase;
// Note: don't use "newCookie.Secure = _options.RequireSSL;" since the default // Note: don't use "newCookie.Secure = _options.RequireSSL;" since the default
// value of newCookie.Secure is poulated out of band. // value of newCookie.Secure is poulated out of band.
if (_options.RequireSsl) if (_options.RequireSsl)

View File

@ -245,10 +245,13 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
bool defaultCookieSecureValue = expectedCookieSecureFlag ?? false; // pulled from config; set by ctor bool defaultCookieSecureValue = expectedCookieSecureFlag ?? false; // pulled from config; set by ctor
var cookies = new MockResponseCookieCollection(); var cookies = new MockResponseCookieCollection();
var mockHttpContext = new Mock<HttpContext>(); var httpContext = new Mock<HttpContext>();
mockHttpContext httpContext
.Setup(o => o.Response.Cookies) .Setup(o => o.Response.Cookies)
.Returns(cookies); .Returns(cookies);
httpContext
.SetupGet(hc => hc.Request.PathBase)
.Returns("/");
var options = new AntiforgeryOptions() var options = new AntiforgeryOptions()
{ {
@ -259,7 +262,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
var tokenStore = new DefaultAntiforgeryTokenStore(new TestOptionsManager(options)); var tokenStore = new DefaultAntiforgeryTokenStore(new TestOptionsManager(options));
// Act // Act
tokenStore.SaveCookieToken(mockHttpContext.Object, token); tokenStore.SaveCookieToken(httpContext.Object, token);
// Assert // Assert
Assert.Equal(1, cookies.Count); Assert.Equal(1, cookies.Count);
@ -270,6 +273,41 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
Assert.Equal(defaultCookieSecureValue, cookies.Options.Secure); Assert.Equal(defaultCookieSecureValue, cookies.Options.Secure);
} }
[Theory]
[InlineData("/")]
[InlineData("/vdir1")]
[InlineData("/vdir1/vdir2")]
public void SaveCookieToken_SetsCookieWithApproriatePathBase(string requestPathBase)
{
// Arrange
var token = "serialized-value";
var cookies = new MockResponseCookieCollection();
var httpContext = new Mock<HttpContext>();
httpContext
.Setup(hc => hc.Response.Cookies)
.Returns(cookies);
httpContext
.SetupGet(hc => hc.Request.PathBase)
.Returns(requestPathBase);
httpContext
.SetupGet(hc => hc.Request.Path)
.Returns("/index.html");
var options = new AntiforgeryOptions();
options.CookieName = _cookieName;
var tokenStore = new DefaultAntiforgeryTokenStore(new TestOptionsManager(options));
// Act
tokenStore.SaveCookieToken(httpContext.Object, token);
// Assert
Assert.Equal(1, cookies.Count);
Assert.NotNull(cookies);
Assert.Equal(_cookieName, cookies.Key);
Assert.Equal("serialized-value", cookies.Value);
Assert.True(cookies.Options.HttpOnly);
Assert.Equal(requestPathBase, cookies.Options.Path);
}
private HttpContext GetHttpContext(string cookieName, string cookieValue) private HttpContext GetHttpContext(string cookieName, string cookieValue)
{ {
var cookies = new RequestCookieCollection(new Dictionary<string, string> var cookies = new RequestCookieCollection(new Dictionary<string, string>