Merge pull request #4711 from jhartmann123/cookie

Allow setting SameSite mode of the SessionId cookie
IdentityServer · Oct 7, 2020 · 5c87628 · 5c87628
2 parents 7cf6192 + 4dc4090
commit 5c87628
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/docs/reference/options.rst b/docs/reference/options.rst
@@ -56,6 +56,9 @@ Authentication
 * ``CheckSessionCookieDomain``
     The domain of the cookie used for the check session endpoint.
 
+* ``CheckSessionCookieSameSiteMode``
+    The SameSite mode of the cookie used for the check session endpoint.
+
 * ``RequireCspFrameSrcForSignout``
     If set, will require frame-src CSP headers being emitting on the end session callback endpoint which renders iframes to clients for front-channel signout notification. Defaults to true.
 

diff --git a/src/IdentityServer4/src/Configuration/DependencyInjection/Options/AuthenticationOptions.cs b/src/IdentityServer4/src/Configuration/DependencyInjection/Options/AuthenticationOptions.cs
@@ -51,6 +51,11 @@ public class AuthenticationOptions
         /// </summary>
         public string CheckSessionCookieDomain { get; set; }
 
+        /// <summary>
+        /// Gets or sets the SameSite mode of the cookie used for the check session endpoint. Defaults to SameSiteMode.None.
+        /// </summary>
+        public SameSiteMode CheckSessionCookieSameSiteMode { get; set; } = SameSiteMode.None;
+
         /// <summary>
         /// If set, will require frame-src CSP headers being emitting on the end session callback endpoint which renders iframes to clients for front-channel signout notification.
         /// </summary>

diff --git a/src/IdentityServer4/src/Services/Default/DefaultUserSession.cs b/src/IdentityServer4/src/Services/Default/DefaultUserSession.cs
@@ -67,6 +67,14 @@ public class DefaultUserSession : IUserSession
         /// </value>
         protected string CheckSessionCookieDomain => Options.Authentication.CheckSessionCookieDomain;
 
+        /// <summary>
+        /// Gets the SameSite mode of the check session cookie.
+        /// </summary>
+        /// <value>
+        /// The SameSite mode of the check session cookie.
+        /// </value>
+        protected SameSiteMode CheckSessionCookieSameSiteMode => Options.Authentication.CheckSessionCookieSameSiteMode;
+
         /// <summary>
         /// The principal
         /// </summary>
@@ -238,7 +246,7 @@ public virtual CookieOptions CreateSessionIdCookieOptions()
                 Path = path,
                 IsEssential = true,
                 Domain = CheckSessionCookieDomain,
-                SameSite = SameSiteMode.None
+                SameSite = CheckSessionCookieSameSiteMode
             };
 
             return options;