Binding Secure cookies to ITlsTokenBindingFeature

[Tratcher]

Any protected cookie marked as Secure should also use ITlsTokenBindingFeature as part of its protection.

Today CookieAuth always uses ITlsTokenBindingFeature if it's available, ignoring CookieSecureOption. Check CookieSecureOption before applying ITlsTokenBindingFeature.

Other protected data to consider:
OAuth state field
OIDC state fields
OIDC nonce
Twitter request token

[Tratcher]

Re: https://github.com/aspnet/IISIntegration/issues/31

[kevinchalet]

On a related note, you should also consider adding an option in the cookies middleware to disable this feature as it may prevent sharing cookies with OWIN/Katana apps using the interop stuff.

[Tratcher]

I'd prefer to enable/disable ITlsTokenBindingFeature at the source (e.g. the server) rather than at each consumption point.

[kevinchalet]

Well, I guess we could argue that one may want to disable it for a specific cookie only, rather than for the entire app, but either way, I'm fine.

[Eilon]

Need to follow up with partner teams for ANCM and SslStream to see their plans for RTM.

We could theoretically start implementing this here and test with WebListener, but only once we have commitment from partners.

[Tratcher]

aspnet/KestrelHttpServer#736

[Tratcher]

https://github.com/aspnet/HttpSysServer/issues/231

[blowdart]

https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding
https://cloudblogs.microsoft.com/enterprisemobility/2018/08/21/its-time-for-token-binding/

Windows is pretty much ready to go.

[Eilon]

Moving to backlog because it is unclear when we would bring this in.

[blowdart]

Closing as it's unlikely token binding is alive any more.