Cookies and ASP.NET Core

Question

This might be a simple question, I'm hoping it is at least.

I've started to look into the Release Candidate of ASP.NET Core and I can see that a lot of the configuration has been moved out of the old web.config file and into JSON structured files (as well as XML and any other middleware that you might want to write yourself).
The one thing I haven't yet figured out how to do is something that was so simple in the old web.config approach, securing some of the basic components of your site like cookies.

Previously we'd set the secure, httpOnly and so on inside web.config and when it came to deployment a nice little transform file would modify the values for us and spit out the new file at the end. After reading round a bit, it seems that web.config is pretty much dead now, so how do we go about achieving the same results?

I know we can load different config files based on whether certain variables, such as environment, are set to DEV, STAGING, PRODUCTION etc. but this seems to be just replacing transforms with something that is a transform for all intents and purposes except in how it's actually loaded?

Have I missed something here or have I managed to work myself into a bit of a mess?

aspnet.core itself does not read web.config at all. It is only being used when you use IIS to forward requests to an AspNet Core application in which case the IIS is only running as a reverse proxy. — Pawel, Mar 22 '16 at 23:18
Have you looked at the [docs](http://docs.asp.net/en/latest/security/authentication/cookie.html) for cookies in Asp.Net Core? I'm not quite sure what your second to last paragraph is asking. Are you wondering about how to do transforms in addition to cookies? — Will Ray, Mar 23 '16 at 01:31
@Will sorry, I'll try be a little clearer, I know you can enable cookie based authentication and inside there you can define options like `httpOnly` but my question relates to cookies in general as I'm not using them for authentication but still want to ensure they're being handled securely/correctly — Jak Hammond, Mar 23 '16 at 07:08
@Alexei please don't use `inline code` to highlight random terms. — CodeCaster, Mar 23 '16 at 15:26
@aguafrommars please don't use `inline code` to highlight random terms. — CodeCaster, Mar 23 '16 at 15:27

score 25 · Accepted Answer · edited Sep 27 '17 at 08:06

25

For a general cookie manually created within your application, you control the flags for security when creating it - for example:

Response.Cookies.Append(
    "COOKIE_NAME",
    "COOKIE_VALUE",
    new CookieOptions()
    {
        Path = "/",
        HttpOnly = false,
        Secure = false
    }
);

Here, setting HttpOnly to true would prevent client-side JS from accessing the cookie vlaue, and setting Secure to true would only allow the cookie to be served/received over HTTPS.

No defaults are applied when you add cookies to the response, as can be seen in the source code for the ResponseCookies class.

For the various middlewares that create and consume their own cookies (like the Session middleware that you have mentioned in your answer), they may have their own configuration options that will control these flags for those cookies they create themselves, but this will make no difference to cookies you create elsewhere in your application.

edited Sep 27 '17 at 08:06

Michael Freidgeim

26,542
16
152
170

answered Mar 23 '16 at 15:18

Mark Hughes

7,264
1
33
37

So am I right in assuming then, at least from what I've gathered so far, there is no way to globally control options like `httpOnly` and `secure` on cookies generated in the web app? This seems a little counter-intuitive – Jak Hammond Mar 23 '16 at 16:16
I don't believe there is - looking through the [official docs](http://docs.asp.net/) and the [source code for the ResponseCookies class ](https://github.com/aspnet/HttpAbstractions/blob/master/src/Microsoft.AspNet.Http/ResponseCookies.cs) which handles cookies being added to the response, I can't see anything which would use a default when creating a cookie. – Mark Hughes Mar 23 '16 at 16:35
@Jak I've updated my answer to reflect that no defaults are applied – Mark Hughes Mar 23 '16 at 16:37
Awesome, thanks, something I'll have to keep in mind then when dealing with cookies although writing middlewear is easy enough so could plug something in very early on, or as the very last piece in the pipeline that attempts to apply some default settings to cookies, but suppose we then run the risk of breaking some other middlewear......well guess we'll see where this goes but thanks for the help! :) – Jak Hammond Mar 23 '16 at 16:44
@Jak A middleware applied last in the pipeline to edit the values of the cookie headers should probably work consistently, but it would mean that any values you (or any earlier middleware) did set would be discarded. Alternatively, there's probably a way of replacing the default ResponseCookiesFeature to include one which sets defaults for you... Either way, complexity! Please consider accepting the answer if you are happy it covers what you're looking for. – Mark Hughes Mar 23 '16 at 16:48

score 13 · Answer 2 · edited Jan 18 '21 at 22:25

It's an old question, but I didn't see this answer anywhere so here goes.

As for configuring the behavior of cookies globally you can do it in the Startup.

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<CookiePolicyOptions>(options =>
    {
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
        options.HttpOnly = HttpOnlyPolicy.Always;
        options.Secure = CookieSecurePolicy.Always;
        // you can add more options here and they will be applied to all cookies (middleware and manually created cookies)
    });

    ...
}

As for doing this in a manner that you have different configurations per environment I still haven't found a way of doing it myself.

score 0 · Answer 3 · answered Mar 23 '16 at 08:40

0

Ok, figured it out, seems I still need to remind myself that most things in .NET5 are now opt in, including things like Session which is where cookies now live, reading through the docs, I eventually found what I needed to enable cookies and configure them.

answered Mar 23 '16 at 08:40

Jak Hammond

1,460
3
11
24

3

I don't believe this is correct - that will control the cookies used for session state only, not for all cookies in general. I'll post an answer with my understanding of how it does work. – Mark Hughes Mar 23 '16 at 15:14
1

I double that, the link for the docs only covers the session state cookies. I am still battling with setting cookies in asp.net core ... sighing for the simplicity of php at times... setcookie() ... wishing for it in asp.net core – Max Apr 14 '17 at 07:47
1

This is not an answer, it is a status update. Please post the steps. – Peter Morris Jul 26 '17 at 08:46

Cookies and ASP.NET Core

3 Answers3

Linked

Related