Client list cookie issue

[yelob]

According to the RFC for cookies (https://tools.ietf.org/html/rfc6265#section-4.1.1), a cookie value may not contain a comma.

However, as part of the IdentityServer4.Core.Hosting.ClientCookieList.SetClients(IEnumerable<string>) method (line 64), a JSON-serialized string is created for the list of clients. If there is a single client, this works fine, but when more than one client is authorized, this string is a comma separated list. When attempting to set the cookie value, anything after the comma is excluded from the cookie value and validation fails.

I propose to convert the string to base64 after serialization, and use that for the value of the cookie. In turn, the cookie would be converted back from a base64 string in the GetClients() method (line 56).

I have modified the code and tested this locally, and can submit a pull request if desired.

[ircnelson]

I thought I'd do that too. I think this change is valid.
If they could generate a package of changes that would help a lot (SSO is broken).

[brockallen]

This is a bug in ASP.NET Core. We'll do some quick fix here until RC2 releases and fixes this real issue.

[brockallen]

BTW, this is the issue tracking the real fix: aspnet/HttpAbstractions#535

[yelob]

Great, thank you!

[brockallen]

Ok, fixed. We'll push an updated nuget this week.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.