New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cookie] Implement RFC 6265 for Cookie #26141
Comments
It seems that RFC 6265 may have a revision soon: |
I'm bringing a usecase where we are affected. We face this when authenticating using OIDC programmatically. We try to access a resource service.ms.com/api/Users which is served by an ASP.NET Core resource server. Instead of console client apps, there could be WPF app users, who need to authenticate. In “real-life” usually a browser is popped up, where the user can enter their credentials. Similar to the login button in Visual Studio. The cookie exchange: Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8PTm4o2fNlZBg7FWyr-_XnhUMyFm-…redacted….--ybO8o9hW6oYPz0Xmpsk=N; expires=Wed, 08 Apr 2020 07:24:04 GMT; path=/signin-oidc; samesite=none; httponly When IDP returns with the code and state, we should redirect to service.ms.com/signin-oidc with the cookies above and with the values of code and state (provided by the IDP). Without the cookies the service fails the signin request. By turning off autodredirect on the client side (and manually handling them), we can explicitly put the cookies In the container, and that is a workaround, but it seems hacky. (similar code as here: #25226 ) |
@antonfirsov can you please take a look at the part highlighted by @psmulovics above? #26141 (comment) |
@psmulovics, it's a 3-year old bug covered here #21440, where cookies are not set if you set cookies after POST method with redirect. Your workaround is correct and this is the best you can do at this moment. |
Minimal fix for domain-related cookie issues of #26141 To fully comply with RFC 6265, one should remove deprecated cookie properties, such as Version, from public API. So only the stated issues with leading dot were addressed now. Also note that the leading dot was not stripped from the domain even though RFC 6265 proposed it. This behavior was chosen because browsers like Chrome and Edge also don't strip the leading dot.
Resolves "Path related issues" of #26141 (described in #21440, #22372 and #25226) by adapting RFC 6265 for path management: - Removes the restriction for the Path attribute (it's no longer expected to prefix the request path) - Introduces the default-path calculation and path matching algorithms as defined in section 5.1.4 of the new RFC - Adds integration tests for HttpClient based on user scenarios described in the issues
Minimal fix for domain-related cookie issues of dotnet#26141 To fully comply with RFC 6265, one should remove deprecated cookie properties, such as Version, from public API. So only the stated issues with leading dot were addressed now. Also note that the leading dot was not stripped from the domain even though RFC 6265 proposed it. This behavior was chosen because browsers like Chrome and Edge also don't strip the leading dot.
Resolves "Path related issues" of dotnet#26141 (described in dotnet#21440, dotnet#22372 and dotnet#25226) by adapting RFC 6265 for path management: - Removes the restriction for the Path attribute (it's no longer expected to prefix the request path) - Introduces the default-path calculation and path matching algorithms as defined in section 5.1.4 of the new RFC - Adds integration tests for HttpClient based on user scenarios described in the issues
Current Cookie implementation follows RFC 2109, which is obsoleted by RFC 6265.
Per RFC 2109:
RFC 6265 is more tolerant for accepting Cookies, and removes those restrictions. Modern browsers support RFC 6265, and we should match the behavior.
Especially, there are three areas needed to be improved/changed. Path scoping, domain restriction, and other fields (for example, Version attribute, also obsoleted by RFC 6265). Currently we have 5 related issues because of not implementing RFC 6265.
Path related issues
#21440
#22372
#25226
VerifySetDefaults
function.Domain related issues
#19746
#20942
Action plan
The suggested way to approach this umbrella issue is that:
External contributions are welcomed!
The text was updated successfully, but these errors were encountered: