Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XsrfCookie not set as essential #1829

Closed
LukeOwlclaw opened this issue Feb 21, 2022 · 1 comment
Closed

XsrfCookie not set as essential #1829

LukeOwlclaw opened this issue Feb 21, 2022 · 1 comment
Assignees
@tidyui
Labels
bug core-manager
Projects
Version 10.1
Milestone
Version 10.0.3

Comments

@LukeOwlclaw
Copy link

In SetAuthCookie we have:

Response.Cookies.Append(_options.XsrfCookieName, tokens.RequestToken, new CookieOptions
{
    HttpOnly = false,
});

What is missing here:

IsEssential = true,

Without making it essential, the cookie will only be set if CheckConsentNeeded option is false. However, the auth cookie is essential according to GDPR.
@tidyui tidyui added this to the Version 10.0.3 milestone Feb 21, 2022
@tidyui tidyui added this to To do in Version 10.1 Feb 22, 2022
@tidyui tidyui added this to To do in Version 10.1 Feb 22, 2022
@tidyui tidyui closed this as completed in a688ae1 Mar 6, 2022
Version 10.1 automation moved this from To do to Done Mar 6, 2022
@lukasan lukasan mentioned this issue Mar 22, 2022
Closed
@tidyui tidyui modified the milestones: Version 10.1, Version 10.0.3 Mar 31, 2022
@tidyui tidyui removed this from Done in Version 10.1 Mar 31, 2022
@tidyui tidyui self-assigned this Mar 31, 2022
@vjacquet
Copy link
Contributor

The fix works on Firefox but I am still having the issue on Edge (Version 100.0.1185.50 (Version officielle) (64 bits)). I believe the same site option should also be set.

I used the following workaround to set the SameSite to SameSiteMode.Strict, as it is done for the antiforgery cookie.

// HACK: Piranha does not set the SameSite options, resulting in missing cookie on edge.
builder.Services.AddOptions<CookiePolicyOptions>().Configure<IOptions<ManagerOptions>>((options, manager) =>
{
    options.OnAppendCookie = context =>
    {
        if (context.CookieName == manager.Value.XsrfCookieName)
        {
            context.CookieOptions.SameSite = SameSiteMode.Strict;
        }
    };
});

@tidyui tidyui mentioned this issue Apr 29, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tidyui tidyui

Labels
bug core-manager
Projects
No open projects
Version 10.1
To do
Milestone
Version 10.0.3
Development

No branches or pull requests
3 participants
@tidyui @LukeOwlclaw @vjacquet