Skip to content
This repository has been archived by the owner on Nov 22, 2018. It is now read-only.

Commit

Permalink
#106 Fix: Adds Secure Cookie flag and tests
Browse files Browse the repository at this point in the history
  • Loading branch information
Justin Kotalik committed Jun 16, 2016
1 parent db5fd0e commit 83bc308
Show file tree
Hide file tree
Showing 3 changed files with 66 additions and 0 deletions.
8 changes: 8 additions & 0 deletions src/Microsoft.AspNetCore.Session/SessionMiddleware.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,14 @@ private void SetCookie()
HttpOnly = _options.CookieHttpOnly,
Path = _options.CookiePath ?? SessionDefaults.CookiePath,
};
if (_options.CookieSecure == CookieSecurePolicy.SameAsRequest)
{
cookieOptions.Secure = _context.Request.IsHttps;
}
else
{
cookieOptions.Secure = _options.CookieSecure == CookieSecurePolicy.Always;
}

_context.Response.Cookies.Append(_options.CookieName, _cookieValue, cookieOptions);

Expand Down
5 changes: 5 additions & 0 deletions src/Microsoft.AspNetCore.Session/SessionOptions.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Session;

namespace Microsoft.AspNetCore.Builder
Expand Down Expand Up @@ -35,6 +36,10 @@ public class SessionOptions
/// </summary>
public bool CookieHttpOnly { get; set; } = true;

/// <summary>
/// Determines if the cookie should only be transmitted on HTTPS requests.
public CookieSecurePolicy CookieSecure { get; set; } = CookieSecurePolicy.None;

/// <summary>
/// The IdleTimeout indicates how long the session can be idle before its contents are abandoned. Each session access
/// resets the timeout. Note this only applies to the content of the session, not the cookie.
Expand Down
53 changes: 53 additions & 0 deletions test/Microsoft.AspNetCore.Session.Tests/SessionTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,59 @@ public async Task SettingAValueCausesTheCookieToBeCreated()
}
}

[Theory]
[InlineData(CookieSecurePolicy.Always, "http://example.com/testpath", true)]
[InlineData(CookieSecurePolicy.Always, "https://example.com/testpath", true)]
[InlineData(CookieSecurePolicy.None, "http://example.com/testpath", false)]
[InlineData(CookieSecurePolicy.None, "https://example.com/testpath", false)]
[InlineData(CookieSecurePolicy.SameAsRequest, "http://example.com/testpath", false)]
[InlineData(CookieSecurePolicy.SameAsRequest, "https://example.com/testpath", true)]
public async Task SecureSessionBasedOnHttpsAndSecurePolicy(
CookieSecurePolicy cookieSecurePolicy,
string requestUri,
bool shouldBeSecureOnly)
{
var builder = new WebHostBuilder()
.Configure(app =>
{
app.UseSession(new SessionOptions
{
CookieName = "TestCookie",
CookieSecure = cookieSecurePolicy
});
app.Run(context =>
{
Assert.Null(context.Session.GetString("Key"));
context.Session.SetString("Key", "Value");
Assert.Equal("Value", context.Session.GetString("Key"));
return Task.FromResult(0);
});
})
.ConfigureServices(services =>
{
services.AddDistributedMemoryCache();
services.AddSession();
});

using (var server = new TestServer(builder))
{
var client = server.CreateClient();
var response = await client.GetAsync(requestUri);
response.EnsureSuccessStatusCode();
IEnumerable<string> values;
Assert.True(response.Headers.TryGetValues("Set-Cookie", out values));
Assert.Equal(1, values.Count());
if (shouldBeSecureOnly)
{
Assert.Contains("; secure", values.First());
}
else
{
Assert.DoesNotContain("; secure", values.First());
}
}
}

[Fact]
public async Task SessionCanBeAccessedOnTheNextRequest()
{
Expand Down

0 comments on commit 83bc308

Please sign in to comment.