huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update default settings for SameSite 

- Need Lax policy for social authentication
- Need None policy for OIDC
This commit is contained in:
John Luo 2017-05-24 17:04:14 -07:00
parent 348cdf9da9
commit c523839078
8 changed files with 49 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -28,4 +28,5 @@ project.lock.json
.build/
.testPublish/
/.vs/
.vscode/
global.json

1
samples/OpenIdConnect.AzureAdSample/Program.cs
View File

@ -15,6 +15,7 @@ namespace OpenIdConnect.AzureAdSample
factory.AddFilter("Console", level => level >= LogLevel.Information);
})
.UseKestrel()
.UseUrls("http://localhost:42023")
.UseContentRoot(Directory.GetCurrentDirectory())
.UseIISIntegration()
.UseStartup<Startup>()

18
src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs
View File

@ -22,7 +22,8 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
ExpireTimeSpan = TimeSpan.FromDays(14);
SlidingExpiration = true;
CookieSameSite = SameSiteMode.Strict;
// To support OAuth authentication, a lax mode is required, see https://github.com/aspnet/Security/issues/1231.
CookieSameSite = SameSiteMode.Lax;
CookieHttpOnly = true;
CookieSecure = CookieSecurePolicy.SameAsRequest;
Events = new CookieAuthenticationEvents();
@ -59,7 +60,8 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// <summary>
/// Determines if the browser should allow the cookie to be attached to same-site or cross-site requests. The
/// default is Strict, which means the cookie is only allowed to be attached to same-site requests.
/// default is Lax, which means the cookie is only allowed to be attached to cross-site requests using safe
/// HTTP methods and same-site requests.
/// </summary>
public SameSiteMode CookieSameSite { get; set; }
@ -84,8 +86,8 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// <summary>
/// Controls how much time the cookie will remain valid from the point it is created. The expiration
/// information is in the protected cookie ticket. Because of that an expired cookie will be ignored
/// even if it is passed to the server after the browser should have purged it
/// information is in the protected cookie ticket. Because of that an expired cookie will be ignored
/// even if it is passed to the server after the browser should have purged it
/// </summary>
public TimeSpan ExpireTimeSpan { get; set; }
@ -99,7 +101,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// The LoginPath property informs the handler that it should change an outgoing 401 Unauthorized status
/// code into a 302 redirection onto the given login path. The current url which generated the 401 is added
/// to the LoginPath as a query string parameter named by the ReturnUrlParameter. Once a request to the
/// LoginPath grants a new SignIn identity, the ReturnUrlParameter value is used to redirect the browser back
/// LoginPath grants a new SignIn identity, the ReturnUrlParameter value is used to redirect the browser back
/// to the url which caused the original unauthorized status code.
/// </summary>
public PathString LoginPath { get; set; }
@ -117,15 +119,15 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
/// <summary>
/// The ReturnUrlParameter determines the name of the query string parameter which is appended by the handler
/// when a 401 Unauthorized status code is changed to a 302 redirect onto the login path. This is also the query
/// string parameter looked for when a request arrives on the login path or logout path, in order to return to the
/// when a 401 Unauthorized status code is changed to a 302 redirect onto the login path. This is also the query
/// string parameter looked for when a request arrives on the login path or logout path, in order to return to the
/// original url after the action is performed.
/// </summary>
public string ReturnUrlParameter { get; set; }
/// <summary>
/// The Provider may be assigned to an instance of an object created by the application at startup time. The handler
/// calls methods on the provider which give the application control at certain points where processing is occurring.
/// calls methods on the provider which give the application control at certain points where processing is occurring.
/// If it is not provided a default instance is supplied which does nothing when the methods are called.
/// </summary>
public new CookieAuthenticationEvents Events

6
src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs
View File

@ -62,7 +62,7 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect
}
/// <summary>
/// The handler calls methods on the events which give the application control at certain points where processing is occurring.
/// The handler calls methods on the events which give the application control at certain points where processing is occurring.
/// If it is not provided a default instance is supplied which does nothing when the methods are called.
/// </summary>
protected new OpenIdConnectEvents Events
@ -892,7 +892,7 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect
new CookieOptions
{
HttpOnly = true,
SameSite = Http.SameSiteMode.Lax,
SameSite = Http.SameSiteMode.None,
Secure = Request.IsHttps,
Expires = Clock.UtcNow.Add(Options.ProtocolValidator.NonceLifetime)
});
@ -924,7 +924,7 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect
var cookieOptions = new CookieOptions
{
HttpOnly = true,
SameSite = Http.SameSiteMode.Lax,
SameSite = Http.SameSiteMode.None,
Secure = Request.IsHttps
};

2
src/Microsoft.AspNetCore.Authentication.Twitter/TwitterHandler.cs
View File

@ -31,7 +31,7 @@ namespace Microsoft.AspNetCore.Authentication.Twitter
private HttpClient Backchannel => Options.Backchannel;
/// <summary>
/// The handler calls methods on the events which give the application control at certain points where processing is occurring.
/// The handler calls methods on the events which give the application control at certain points where processing is occurring.
/// If it is not provided a default instance is supplied which does nothing when the methods are called.
/// </summary>
protected new TwitterEvents Events

8
src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationHandler.cs
View File

@ -12,7 +12,7 @@ using Microsoft.Extensions.Options;
namespace Microsoft.AspNetCore.Authentication
{
public abstract class RemoteAuthenticationHandler<TOptions> : AuthenticationHandler<TOptions>, IAuthenticationRequestHandler
public abstract class RemoteAuthenticationHandler<TOptions> : AuthenticationHandler<TOptions>, IAuthenticationRequestHandler
where TOptions : RemoteAuthenticationOptions, new()
{
private const string CorrelationPrefix = ".AspNetCore.Correlation.";
@ -25,7 +25,7 @@ namespace Microsoft.AspNetCore.Authentication
protected string SignInScheme => Options.SignInScheme;
/// <summary>
/// The handler calls methods on the events which give the application control at certain points where processing is occurring.
/// The handler calls methods on the events which give the application control at certain points where processing is occurring.
/// If it is not provided a default instance is supplied which does nothing when the methods are called.
/// </summary>
protected new RemoteAuthenticationEvents Events
@ -203,7 +203,7 @@ namespace Microsoft.AspNetCore.Authentication
var cookieOptions = new CookieOptions
{
HttpOnly = true,
SameSite = SameSiteMode.Lax,
SameSite = SameSiteMode.None,
Secure = Request.IsHttps,
Expires = Clock.UtcNow.Add(Options.RemoteAuthenticationTimeout),
};
@ -243,7 +243,7 @@ namespace Microsoft.AspNetCore.Authentication
var cookieOptions = new CookieOptions
{
HttpOnly = true,
SameSite = SameSiteMode.Lax,
SameSite = SameSiteMode.None,
Secure = Request.IsHttps
};
Response.Cookies.Delete(cookieName, cookieOptions);

2
src/Microsoft.AspNetCore.CookiePolicy/CookiePolicyOptions.cs
View File

@ -15,7 +15,7 @@ namespace Microsoft.AspNetCore.Builder
/// <summary>
/// Affects the cookie's same site attribute.
/// </summary>
public SameSiteMode MinimumSameSitePolicy { get; set; } = SameSiteMode.Strict;
public SameSiteMode MinimumSameSitePolicy { get; set; } = SameSiteMode.Lax;
/// <summary>
/// Affects whether cookies must be HttpOnly.

56
test/Microsoft.AspNetCore.CookiePolicy.Test/CookiePolicyTests.cs
View File

@ -59,10 +59,10 @@ namespace Microsoft.AspNetCore.CookiePolicy.Test
transaction =>
{
Assert.NotNull(transaction.SetCookie);
Assert.Equal("A=A; path=/; secure; samesite=strict", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; secure; samesite=strict", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; secure; samesite=strict", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; secure; samesite=strict", transaction.SetCookie[3]);
Assert.Equal("A=A; path=/; secure; samesite=lax", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; secure; samesite=lax", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; secure; samesite=lax", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; secure; samesite=lax", transaction.SetCookie[3]);
}));
}
@ -79,10 +79,10 @@ namespace Microsoft.AspNetCore.CookiePolicy.Test
transaction =>
{
Assert.NotNull(transaction.SetCookie);
Assert.Equal("A=A; path=/; samesite=strict", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; samesite=strict", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; samesite=strict", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; secure; samesite=strict", transaction.SetCookie[3]);
Assert.Equal("A=A; path=/; samesite=lax", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; samesite=lax", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; samesite=lax", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; secure; samesite=lax", transaction.SetCookie[3]);
}));
}
@ -99,19 +99,19 @@ namespace Microsoft.AspNetCore.CookiePolicy.Test
transaction =>
{
Assert.NotNull(transaction.SetCookie);
Assert.Equal("A=A; path=/; samesite=strict", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; samesite=strict", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; samesite=strict", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; samesite=strict", transaction.SetCookie[3]);
Assert.Equal("A=A; path=/; samesite=lax", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; samesite=lax", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; samesite=lax", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; samesite=lax", transaction.SetCookie[3]);
}),
new RequestTest("https://example.com/secureSame",
transaction =>
{
Assert.NotNull(transaction.SetCookie);
Assert.Equal("A=A; path=/; secure; samesite=strict", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; secure; samesite=strict", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; secure; samesite=strict", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; secure; samesite=strict", transaction.SetCookie[3]);
Assert.Equal("A=A; path=/; secure; samesite=lax", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; secure; samesite=lax", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; secure; samesite=lax", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; secure; samesite=lax", transaction.SetCookie[3]);
}));
}
@ -128,10 +128,10 @@ namespace Microsoft.AspNetCore.CookiePolicy.Test
transaction =>
{
Assert.NotNull(transaction.SetCookie);
Assert.Equal("A=A; path=/; samesite=strict; httponly", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; samesite=strict; httponly", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; samesite=strict; httponly", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; samesite=strict; httponly", transaction.SetCookie[3]);
Assert.Equal("A=A; path=/; samesite=lax; httponly", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; samesite=lax; httponly", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; samesite=lax; httponly", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; samesite=lax; httponly", transaction.SetCookie[3]);
}));
}
@ -148,10 +148,10 @@ namespace Microsoft.AspNetCore.CookiePolicy.Test
transaction =>
{
Assert.NotNull(transaction.SetCookie);
Assert.Equal("A=A; path=/; samesite=strict", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; samesite=strict", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; samesite=strict", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; samesite=strict; httponly", transaction.SetCookie[3]);
Assert.Equal("A=A; path=/; samesite=lax", transaction.SetCookie[0]);
Assert.Equal("B=B; path=/; samesite=lax", transaction.SetCookie[1]);
Assert.Equal("C=C; path=/; samesite=lax", transaction.SetCookie[2]);
Assert.Equal("D=D; path=/; samesite=lax; httponly", transaction.SetCookie[3]);
}));
}
@ -242,10 +242,10 @@ namespace Microsoft.AspNetCore.CookiePolicy.Test
var transaction = await server.SendAsync("http://example.com/login");
Assert.NotNull(transaction.SetCookie);
Assert.Equal("Hao=Hao; path=/; samesite=strict", transaction.SetCookie[0]);
Assert.Equal("Hao=Hao; path=/; samesite=strict", transaction.SetCookie[1]);
Assert.Equal("Hao=Hao; path=/; samesite=strict", transaction.SetCookie[2]);
Assert.Equal("Hao=Hao; path=/; secure; samesite=strict", transaction.SetCookie[3]);
Assert.Equal("Hao=Hao; path=/; samesite=lax", transaction.SetCookie[0]);
Assert.Equal("Hao=Hao; path=/; samesite=lax", transaction.SetCookie[1]);
Assert.Equal("Hao=Hao; path=/; samesite=lax", transaction.SetCookie[2]);
Assert.Equal("Hao=Hao; path=/; secure; samesite=lax", transaction.SetCookie[3]);
}
[Fact]