Skip to content
This repository has been archived by the owner on Nov 22, 2018. It is now read-only.

Commit

Permalink
#106 Fix: Adds Secure Cookie flag and tests
Browse files Browse the repository at this point in the history
  • Loading branch information
Justin Kotalik committed Jun 16, 2016
1 parent db5fd0e commit 11eaf24
Show file tree
Hide file tree
Showing 3 changed files with 69 additions and 1 deletion.
10 changes: 9 additions & 1 deletion src/Microsoft.AspNetCore.Session/SessionMiddleware.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,15 @@ private void SetCookie()
HttpOnly = _options.CookieHttpOnly,
Path = _options.CookiePath ?? SessionDefaults.CookiePath,
};

if (_options.CookieSecure == CookieSecurePolicy.SameAsRequest)
{
cookieOptions.Secure = _context.Request.IsHttps;
}
else
{
cookieOptions.Secure = _options.CookieSecure == CookieSecurePolicy.Always;
}

_context.Response.Cookies.Append(_options.CookieName, _cookieValue, cookieOptions);

_context.Response.Headers["Cache-Control"] = "no-cache";
Expand Down
8 changes: 8 additions & 0 deletions src/Microsoft.AspNetCore.Session/SessionOptions.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

using System;
using Microsoft.AspNetCore.Session;
using Microsoft.AspNetCore.Http;

namespace Microsoft.AspNetCore.Builder
{
Expand Down Expand Up @@ -35,6 +36,13 @@ public class SessionOptions
/// </summary>
public bool CookieHttpOnly { get; set; } = true;

/// <summary>
/// Determines if the cookie should only be transmitted on HTTPS request. The default is to limit the cookie
/// to HTTPS requests if the page which is doing the SignIn is also HTTPS. If you have an HTTPS sign in page
/// and portions of your site are HTTP you may need to change this value.
/// </summary>
public CookieSecurePolicy CookieSecure { get; set; }

/// <summary>
/// The IdleTimeout indicates how long the session can be idle before its contents are abandoned. Each session access
/// resets the timeout. Note this only applies to the content of the session, not the cookie.
Expand Down
52 changes: 52 additions & 0 deletions test/Microsoft.AspNetCore.Session.Tests/SessionTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,58 @@ public async Task SettingAValueCausesTheCookieToBeCreated()
}
}

[Theory]
[InlineData(CookieSecurePolicy.Always, "http://example.com/testpath", true)]
[InlineData(CookieSecurePolicy.Always, "https://example.com/testpath", true)]
[InlineData(CookieSecurePolicy.None, "http://example.com/testpath", false)]
[InlineData(CookieSecurePolicy.None, "https://example.com/testpath", false)]
[InlineData(CookieSecurePolicy.SameAsRequest, "http://example.com/testpath", false)]
[InlineData(CookieSecurePolicy.SameAsRequest, "https://example.com/testpath", true)]
public async Task SecureSignInCausesSecureOnlyCookieByDefault(
CookieSecurePolicy cookieSecurePolicy,
string requestUri,
bool shouldBeSecureOnly)
{
var builder = new WebHostBuilder()
.Configure(app =>
{
app.UseSession(new SessionOptions
{
CookieName = "TestCookie",
CookieSecure = cookieSecurePolicy
});
app.Run(context =>
{
Assert.Null(context.Session.GetString("Key"));
context.Session.SetString("Key", "Value");
Assert.Equal("Value", context.Session.GetString("Key"));
return Task.FromResult(0);
});
})
.ConfigureServices(services =>
{
services.AddDistributedMemoryCache();
services.AddSession();
});
using (var server = new TestServer(builder))
{
var client = server.CreateClient();
var response = await client.GetAsync(requestUri);
response.EnsureSuccessStatusCode();
IEnumerable<string> values;
Assert.True(response.Headers.TryGetValues("Set-Cookie", out values));
Assert.Equal(1, values.Count());
if (shouldBeSecureOnly)
{
Assert.Contains("; secure", values.First());
}
else
{
Assert.DoesNotContain("; secure", values.First());
}
}
}

[Fact]
public async Task SessionCanBeAccessedOnTheNextRequest()
{
Expand Down

0 comments on commit 11eaf24

Please sign in to comment.