Add Secure cookie flag option to session cookie

[SteveArr]

The session cookie needs the ability to have the 'Secure' flag set. This PR adds support for always use secure flag, never use secure flag and use secure flag only if initial request is SSL.

Included unit tests for Secure flag as well as HTTPOnly flag.

[ghost]

Hi @SteveArr, I'm your friendly neighborhood Microsoft Open Technologies, Inc. Pull Request Bot (You can call me MSOTBOT). Thanks for your contribution!

In order for us to evaluate and accept your PR, we ask that you sign a contribution license agreement. It's all electronic and will take just minutes. I promise there's no faxing. https://cla2.msopentech.com.

TTYL, MSOTBOT;

[ghost]

@SteveArr, Thanks for signing the contribution license agreement so quickly! Actual humans will now validate the agreement and then evaluate the PR.

Thanks, MSOTBOT;

[Eilon]

@blowdart can you have a look?

[blowdart]

My usual naming issues appear

Https != Secure (We should look at CookieOptions as well to fix this)

There's no other problem aside from that.

[Eilon]

@Tratcher are all these suppose to be readonly?

[Tratcher]

Yes

[blowdart]

There is a side effect here, in that if you switch protocols you will loose session if you're switching from HTTPS to HTTP. I don't consider this a bad thing, other opinions may vary.

[Eilon]

BTW we just changed the copyright notice to:

Copyright (c) .NET Foundation. All rights reserved.

[blowdart]

This would probably be better addressed as part of abstractions, where there is already an open issue on the topic. aspnet/HttpAbstractions#42

[SteveArr]

After reading your comments, here is the change I propose:

Take CookieSecureOption.cs and move it up into Aspnet/HttpAbstractions like @blowdart is recommending. Update code comments appropriately.

Update this pull request to use that relocated CookieSecureOption.cs

Update Aspnet/Security/Microsoft.AspNet.Authentication.Cookies to also use the newly located CookieSecureOption.cs to reduce code duplication.

Question: I am unfamiliar with the process for updating code in three different projects. Do I have to submit a PR to HTTPAbstractions first and let that get in before making the changes to Session and Security?

[Tratcher]

You can submit concurrent PRs in multiple repos, just and links to each related PR in the comments.

Do you know how to use the global.json file to compile multiple repos locally?

[SteveArr]

@Tratcher , I am unaware of how to use the global.json file to compile multiple repos locally. Can you forward me some information or pointers?

[Tratcher]

In Session modify the global.json to add a relative reference to HttpAbstractions. This way your local changes will be used rather than the nuget packages.

{
    "projects": [ "src", "..\\HttpAbstractions\\src" ]
}

Do not check in this change, it is only for local development.

[SteveArr]

Got it. I will work on this tonight when I get home.

[dnfclas]

Hi @SteveArr, I'm your friendly neighborhood .NET Foundation Pull Request Bot (You can call me DNFBOT). Thanks for your contribution!

In order for us to evaluate and accept your PR, we ask that you sign a contribution license agreement. It's all electronic and will take just minutes. I promise there's no faxing. https://cla2.dotnetfoundation.org.

TTYL, DNFBOT;

[muratg]

@Tratcher Could you look at this one (and the corresponding HttpAbstractions one)?

[Tratcher]

@SteveArr Can you update your CLA as described above?

[muratg]

@SteveArr Are you still looking into this one?

[muratg]

Closing this one, we'll do aspnet/HttpAbstractions#42 instead.