[Announcement] Cookie name encoding being removed to prevent spoofing of security prefixes #23578
Labels
area-networking
Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
breaking-change
This issue / pr will introduce a breaking change, when resolved / merged.
Milestone
Comments
Tratcher
added
breaking-change
This was referenced Jul 1, 2020
Cookie name encoding being removed to prevent spoofing of security prefixes
aspnet/Announcements#427
Open
This was referenced Jul 23, 2020
This was referenced Aug 26, 2020
According to AspNetKatana release 4.1.1, "CVE-2020-1045 also applies to Microsoft.Owin"; it does not have a separate CVE identifier. |
|
Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue. This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue! |
ghost
locked as resolved and limited conversation to collaborators
amcasey
added
area-networking
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Cookie name encoding being removed to prevent spoofing of security prefixes
The HTTP cookie standard only allows specific characters in cookie names and values. ASP.NET Core and other web frameworks accommodate disallowed characters in these fields by encoding them when creating a response cookie and decoding when reading a request cookie.
This encoding behavior is being changed in response to a security concern.
Version introduced
5.0
Old behavior
Response cookie names would be encoded, and request cookie names would be decoded.
New behavior
In .NET 5.0 we will remove the cookie name encoding and decoding. For prior supported versions we plan a mitigate the decoding issue in place.
Cookie value encoding and decoding will not be changed.
Reason for change
An issue was discovered in multiple web frameworks where this encoding/decoding could allow an attacker to bypass a security feature called cookie prefixes by spoofing the reserved prefixes like
__Host-with encoded values like__%48ost-. This attack requires a secondary exploit in order to inject the spoofed cookies, such as an XSS vulnerability in the web site. These prefixes are not used by default in ASP.NET Core or Microsoft.Owin libraries or templates.All versions of ASP.NET Core and Microsoft.Owin are affected.
Recommended action
Applications moving to .NET 5.0 should ensure that their cookie names conform to the token spec requirements: ASCII characters excluding controls and separators
"(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT. The use of non-ASCII characters in cookie names or other HTTP headers may cause an exception from the server, or be improperly round tripped by the client.Category
ASP.NET
Affected APIs
HttpRequest.Cookies
HttpResponse.Cookies
IOwinRequest.Cookies
IOwinResponse.Cookies
The text was updated successfully, but these errors were encountered: