huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Revert obsoleting CookieAuthenticationOptions.ExpireTimeSpan (#1296) 

- Revert the obsoleting of CookieAuthenticationOptions.ExpireTimeSpan in aspnet/Security#1285
- Add test to ensure Cookie.Expiration is ignored
This commit is contained in:
Nate McMaster 2017-07-05 15:43:43 -07:00 committed by GitHub
parent 658f4621b1
commit bd19ba9533
4 changed files with 45 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs
View File

@ -270,14 +270,14 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
if (!signInContext.Properties.ExpiresUtc.HasValue)
{
signInContext.Properties.ExpiresUtc = issuedUtc.Add(Options.Cookie.Expiration ?? default(TimeSpan));
signInContext.Properties.ExpiresUtc = issuedUtc.Add(Options.ExpireTimeSpan);
}
await Events.SigningIn(signInContext);
if (signInContext.Properties.IsPersistent)
{
var expiresUtc = signInContext.Properties.ExpiresUtc ?? issuedUtc.Add(Options.Cookie.Expiration ?? default(TimeSpan));
var expiresUtc = signInContext.Properties.ExpiresUtc ?? issuedUtc.Add(Options.ExpireTimeSpan);
signInContext.CookieOptions.Expires = expiresUtc.ToUniversalTime();
}

37
src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs
View File

@ -21,7 +21,6 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
SameSite = SameSiteMode.Lax,
HttpOnly = true,
SecurePolicy = CookieSecurePolicy.SameAsRequest,
Expiration = TimeSpan.FromDays(14),
};
/// <summary>
@ -29,6 +28,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// </summary>
public CookieAuthenticationOptions()
{
ExpireTimeSpan = TimeSpan.FromDays(14);
ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
SlidingExpiration = true;
Events = new CookieAuthenticationEvents();
@ -42,7 +42,6 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// <seealso cref="CookieBuilder.SameSite"/> defaults to <see cref="SameSiteMode.Lax"/>.
/// <seealso cref="CookieBuilder.HttpOnly"/> defaults to <c>true</c>.
/// <seealso cref="CookieBuilder.SecurePolicy"/> defaults to <see cref="CookieSecurePolicy.SameAsRequest"/>.
/// <seealso cref="CookieBuilder.Expiration"/> defaults to 14 days.
/// </para>
/// </summary>
/// <remarks>
@ -60,9 +59,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// The default is true, which means the cookie will only be passed to http requests and is not made available to script on the page.
/// </para>
/// <para>
/// <seealso cref="CookieBuilder.Expiration"/> controls how much time the cookie will remain valid from the point it is created. The expiration
/// information is in the protected cookie ticket. Because of that an expired cookie will be ignored
/// even if it is passed to the server after the browser should have purged it
/// <seealso cref="CookieBuilder.Expiration"/> is currently ignored. Use <see cref="ExpireTimeSpan"/> to control lifetime of cookie authentication.
/// </para>
/// </remarks>
public CookieBuilder Cookie
@ -140,6 +137,19 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// </summary>
public ITicketStore SessionStore { get; set; }
/// <summary>
/// <para>
/// Controls how much time the authentication ticket stored in the cookie will remain valid from the point it is created
/// The expiration information is stored in the protected cookie ticket. Because of that an expired cookie will be ignored
/// even if it is passed to the server after the browser should have purged it.
/// </para>
/// <para>
/// This is separate from the value of <seealso cref="CookieOptions.Expires"/>, which specifies
/// how long the browser will keep the cookie.
/// </para>
/// </summary>
public TimeSpan ExpireTimeSpan { get; set; }
#region Obsolete API
/// <summary>
/// <para>
@ -201,23 +211,6 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// </summary>
[Obsolete("This property is obsolete and will be removed in a future version. The recommended alternative is " + nameof(Cookie) + "." + nameof(CookieBuilder.SecurePolicy) + ".")]
public CookieSecurePolicy CookieSecure { get => Cookie.SecurePolicy; set => Cookie.SecurePolicy = value; }
/// <summary>
/// <para>
/// This property is obsolete and will be removed in a future version. The recommended alternative is <seealso cref="CookieBuilder.Expiration"/> on <see cref="Cookie"/>.
/// </para>
/// <para>
/// Controls how much time the cookie will remain valid from the point it is created. The expiration
/// information is in the protected cookie ticket. Because of that an expired cookie will be ignored
/// even if it is passed to the server after the browser should have purged it
/// </para>
/// </summary>
[Obsolete("This property is obsolete and will be removed in a future version. The recommended alternative is " + nameof(Cookie) + "." + nameof(CookieBuilder.Expiration) + ".")]
public TimeSpan ExpireTimeSpan
{
get => Cookie.Expiration ?? default(TimeSpan);
set => Cookie.Expiration = value;
}
#endregion
}
}

4
src/Microsoft.AspNetCore.Authentication.Cookies/Microsoft.AspNetCore.Authentication.Cookies.csproj
View File

@ -19,8 +19,4 @@
<ProjectReference Include="..\Microsoft.AspNetCore.Authentication\Microsoft.AspNetCore.Authentication.csproj" />
</ItemGroup>
<ItemGroup>
<Folder Include="Properties\" />
</ItemGroup>
</Project>

39
test/Microsoft.AspNetCore.Authentication.Test/CookieTests.cs
View File

@ -143,6 +143,23 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
Assert.DoesNotContain("; secure", setCookie);
}
[Fact]
public async Task CookieExpirationOptionIsIgnored()
{
var server = CreateServerWithServices(s => s.AddAuthentication().AddCookie(o =>
{
o.Cookie.Name = "TestCookie";
// this is currently ignored. Users should set o.ExpireTimeSpan instead
o.Cookie.Expiration = TimeSpan.FromDays(10);
}), SignInAsAlice);
var transaction = await SendAsync(server, "http://example.com/testpath");
var setCookie = transaction.SetCookie;
Assert.StartsWith("TestCookie=", setCookie);
Assert.DoesNotContain("; expires=", setCookie);
}
[Fact]
public async Task SignInWrongAuthTypeThrows()
{
@ -277,7 +294,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false;
}, SignInAsAlice);
@ -306,7 +323,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false;
},
context =>
@ -339,7 +356,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.Events = new CookieAuthenticationEvents
{
OnValidatePrincipal = ctx =>
@ -367,7 +384,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false;
o.Events = new CookieAuthenticationEvents
{
@ -395,7 +412,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false;
o.Events = new CookieAuthenticationEvents
{
@ -431,7 +448,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false;
o.Events = new CookieAuthenticationEvents
{
@ -476,7 +493,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.Events = new CookieAuthenticationEvents
{
OnValidatePrincipal = ctx =>
@ -520,7 +537,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false;
o.Events = new CookieAuthenticationEvents
{
@ -569,7 +586,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
DateTimeOffset? lastExpiresDate = null;
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = sliding;
o.Events = new CookieAuthenticationEvents
{
@ -619,7 +636,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false;
o.Events = new CookieAuthenticationEvents()
{
@ -656,7 +673,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{
var server = CreateServer(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = true;
},
SignInAsAlice);