Revert obsoleting CookieAuthenticationOptions.ExpireTimeSpan (#1296)

- Revert the obsoleting of CookieAuthenticationOptions.ExpireTimeSpan in aspnet/Security#1285
- Add test to ensure Cookie.Expiration is ignored
This commit is contained in:
Nate McMaster 2017-07-05 15:43:43 -07:00 committed by GitHub
parent 658f4621b1
commit bd19ba9533
4 changed files with 45 additions and 39 deletions

View File

@ -270,14 +270,14 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
if (!signInContext.Properties.ExpiresUtc.HasValue) if (!signInContext.Properties.ExpiresUtc.HasValue)
{ {
signInContext.Properties.ExpiresUtc = issuedUtc.Add(Options.Cookie.Expiration ?? default(TimeSpan)); signInContext.Properties.ExpiresUtc = issuedUtc.Add(Options.ExpireTimeSpan);
} }
await Events.SigningIn(signInContext); await Events.SigningIn(signInContext);
if (signInContext.Properties.IsPersistent) if (signInContext.Properties.IsPersistent)
{ {
var expiresUtc = signInContext.Properties.ExpiresUtc ?? issuedUtc.Add(Options.Cookie.Expiration ?? default(TimeSpan)); var expiresUtc = signInContext.Properties.ExpiresUtc ?? issuedUtc.Add(Options.ExpireTimeSpan);
signInContext.CookieOptions.Expires = expiresUtc.ToUniversalTime(); signInContext.CookieOptions.Expires = expiresUtc.ToUniversalTime();
} }

View File

@ -21,7 +21,6 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
SameSite = SameSiteMode.Lax, SameSite = SameSiteMode.Lax,
HttpOnly = true, HttpOnly = true,
SecurePolicy = CookieSecurePolicy.SameAsRequest, SecurePolicy = CookieSecurePolicy.SameAsRequest,
Expiration = TimeSpan.FromDays(14),
}; };
/// <summary> /// <summary>
@ -29,6 +28,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// </summary> /// </summary>
public CookieAuthenticationOptions() public CookieAuthenticationOptions()
{ {
ExpireTimeSpan = TimeSpan.FromDays(14);
ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter; ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
SlidingExpiration = true; SlidingExpiration = true;
Events = new CookieAuthenticationEvents(); Events = new CookieAuthenticationEvents();
@ -42,7 +42,6 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// <seealso cref="CookieBuilder.SameSite"/> defaults to <see cref="SameSiteMode.Lax"/>. /// <seealso cref="CookieBuilder.SameSite"/> defaults to <see cref="SameSiteMode.Lax"/>.
/// <seealso cref="CookieBuilder.HttpOnly"/> defaults to <c>true</c>. /// <seealso cref="CookieBuilder.HttpOnly"/> defaults to <c>true</c>.
/// <seealso cref="CookieBuilder.SecurePolicy"/> defaults to <see cref="CookieSecurePolicy.SameAsRequest"/>. /// <seealso cref="CookieBuilder.SecurePolicy"/> defaults to <see cref="CookieSecurePolicy.SameAsRequest"/>.
/// <seealso cref="CookieBuilder.Expiration"/> defaults to 14 days.
/// </para> /// </para>
/// </summary> /// </summary>
/// <remarks> /// <remarks>
@ -60,9 +59,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// The default is true, which means the cookie will only be passed to http requests and is not made available to script on the page. /// The default is true, which means the cookie will only be passed to http requests and is not made available to script on the page.
/// </para> /// </para>
/// <para> /// <para>
/// <seealso cref="CookieBuilder.Expiration"/> controls how much time the cookie will remain valid from the point it is created. The expiration /// <seealso cref="CookieBuilder.Expiration"/> is currently ignored. Use <see cref="ExpireTimeSpan"/> to control lifetime of cookie authentication.
/// information is in the protected cookie ticket. Because of that an expired cookie will be ignored
/// even if it is passed to the server after the browser should have purged it
/// </para> /// </para>
/// </remarks> /// </remarks>
public CookieBuilder Cookie public CookieBuilder Cookie
@ -140,6 +137,19 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// </summary> /// </summary>
public ITicketStore SessionStore { get; set; } public ITicketStore SessionStore { get; set; }
/// <summary>
/// <para>
/// Controls how much time the authentication ticket stored in the cookie will remain valid from the point it is created
/// The expiration information is stored in the protected cookie ticket. Because of that an expired cookie will be ignored
/// even if it is passed to the server after the browser should have purged it.
/// </para>
/// <para>
/// This is separate from the value of <seealso cref="CookieOptions.Expires"/>, which specifies
/// how long the browser will keep the cookie.
/// </para>
/// </summary>
public TimeSpan ExpireTimeSpan { get; set; }
#region Obsolete API #region Obsolete API
/// <summary> /// <summary>
/// <para> /// <para>
@ -201,23 +211,6 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// </summary> /// </summary>
[Obsolete("This property is obsolete and will be removed in a future version. The recommended alternative is " + nameof(Cookie) + "." + nameof(CookieBuilder.SecurePolicy) + ".")] [Obsolete("This property is obsolete and will be removed in a future version. The recommended alternative is " + nameof(Cookie) + "." + nameof(CookieBuilder.SecurePolicy) + ".")]
public CookieSecurePolicy CookieSecure { get => Cookie.SecurePolicy; set => Cookie.SecurePolicy = value; } public CookieSecurePolicy CookieSecure { get => Cookie.SecurePolicy; set => Cookie.SecurePolicy = value; }
/// <summary>
/// <para>
/// This property is obsolete and will be removed in a future version. The recommended alternative is <seealso cref="CookieBuilder.Expiration"/> on <see cref="Cookie"/>.
/// </para>
/// <para>
/// Controls how much time the cookie will remain valid from the point it is created. The expiration
/// information is in the protected cookie ticket. Because of that an expired cookie will be ignored
/// even if it is passed to the server after the browser should have purged it
/// </para>
/// </summary>
[Obsolete("This property is obsolete and will be removed in a future version. The recommended alternative is " + nameof(Cookie) + "." + nameof(CookieBuilder.Expiration) + ".")]
public TimeSpan ExpireTimeSpan
{
get => Cookie.Expiration ?? default(TimeSpan);
set => Cookie.Expiration = value;
}
#endregion #endregion
} }
} }

View File

@ -19,8 +19,4 @@
<ProjectReference Include="..\Microsoft.AspNetCore.Authentication\Microsoft.AspNetCore.Authentication.csproj" /> <ProjectReference Include="..\Microsoft.AspNetCore.Authentication\Microsoft.AspNetCore.Authentication.csproj" />
</ItemGroup> </ItemGroup>
<ItemGroup>
<Folder Include="Properties\" />
</ItemGroup>
</Project> </Project>

View File

@ -143,6 +143,23 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
Assert.DoesNotContain("; secure", setCookie); Assert.DoesNotContain("; secure", setCookie);
} }
[Fact]
public async Task CookieExpirationOptionIsIgnored()
{
var server = CreateServerWithServices(s => s.AddAuthentication().AddCookie(o =>
{
o.Cookie.Name = "TestCookie";
// this is currently ignored. Users should set o.ExpireTimeSpan instead
o.Cookie.Expiration = TimeSpan.FromDays(10);
}), SignInAsAlice);
var transaction = await SendAsync(server, "http://example.com/testpath");
var setCookie = transaction.SetCookie;
Assert.StartsWith("TestCookie=", setCookie);
Assert.DoesNotContain("; expires=", setCookie);
}
[Fact] [Fact]
public async Task SignInWrongAuthTypeThrows() public async Task SignInWrongAuthTypeThrows()
{ {
@ -277,7 +294,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{ {
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false; o.SlidingExpiration = false;
}, SignInAsAlice); }, SignInAsAlice);
@ -306,7 +323,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{ {
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false; o.SlidingExpiration = false;
}, },
context => context =>
@ -339,7 +356,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{ {
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.Events = new CookieAuthenticationEvents o.Events = new CookieAuthenticationEvents
{ {
OnValidatePrincipal = ctx => OnValidatePrincipal = ctx =>
@ -367,7 +384,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{ {
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false; o.SlidingExpiration = false;
o.Events = new CookieAuthenticationEvents o.Events = new CookieAuthenticationEvents
{ {
@ -395,7 +412,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{ {
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false; o.SlidingExpiration = false;
o.Events = new CookieAuthenticationEvents o.Events = new CookieAuthenticationEvents
{ {
@ -431,7 +448,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{ {
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false; o.SlidingExpiration = false;
o.Events = new CookieAuthenticationEvents o.Events = new CookieAuthenticationEvents
{ {
@ -476,7 +493,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{ {
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.Events = new CookieAuthenticationEvents o.Events = new CookieAuthenticationEvents
{ {
OnValidatePrincipal = ctx => OnValidatePrincipal = ctx =>
@ -520,7 +537,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{ {
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false; o.SlidingExpiration = false;
o.Events = new CookieAuthenticationEvents o.Events = new CookieAuthenticationEvents
{ {
@ -569,7 +586,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
DateTimeOffset? lastExpiresDate = null; DateTimeOffset? lastExpiresDate = null;
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = sliding; o.SlidingExpiration = sliding;
o.Events = new CookieAuthenticationEvents o.Events = new CookieAuthenticationEvents
{ {
@ -619,7 +636,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{ {
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = false; o.SlidingExpiration = false;
o.Events = new CookieAuthenticationEvents() o.Events = new CookieAuthenticationEvents()
{ {
@ -656,7 +673,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
{ {
var server = CreateServer(o => var server = CreateServer(o =>
{ {
o.Cookie.Expiration = TimeSpan.FromMinutes(10); o.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.SlidingExpiration = true; o.SlidingExpiration = true;
}, },
SignInAsAlice); SignInAsAlice);