Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] 5.2.3 - Cookies with HttpOnly=True unable to be accessed while using Interactive Render Mode (SignalR + Javascript Interop). #4714

Closed
thabaum opened this issue Oct 7, 2024 · 1 comment
Closed

[BUG] 5.2.3 - Cookies with HttpOnly=True unable to be accessed while using Interactive Render Mode (SignalR + Javascript Interop). #4714

thabaum opened this issue Oct 7, 2024 · 1 comment

Comments

@thabaum
Copy link
Contributor

thabaum commented Oct 7, 2024
edited
Loading

Oqtane Info

Version - 5.2.3
Render Mode - Interactive
Interactivity - Server/WebAssembly
Database - SQL Server

Describe the bug

LanguageSwitcher does not switch language (Interactive Server / Interactive Webassembly) because of httpOnly culture cookie set to true and SignalR using JavaScript interop not allowing Oqtane to able to access these cookies directly.

Taken from discussion #4703

Expected Behavior

Culture (and visitor?) Cookie can be accessed while

Steps To Reproduce

Attempt switching languages via the LanguageSwitcher.razor control in the menu while using interactive render mode site setting.

Anything else?

Set 'HttpOnly=false' if render mode for the site is Interactive

Works OK while in Static Render Mode.

Can these cookies be created using middleware to avoid JavaScript?

https://learn.microsoft.com/en-us/dotnet/api/microsoft.net.http.headers.setcookieheadervalue.httponly?view=aspnetcore-8.0

https://learn.microsoft.com/en-us/dotnet/api/microsoft.net.http.headers.setcookieheadervalue?view=aspnetcore-8.0
@thabaum thabaum mentioned this issue Oct 7, 2024
Merged
@thabaum thabaum changed the title [BUG] 5.2.3 - Cookies unable to be accessed while using Interactive Render Mode (SignalR + Javascript Interop). [BUG] 5.2.3 - Cookies with HttpOnly=True unable to be accessed while using Interactive Render Mode (SignalR + Javascript Interop). Oct 7, 2024
sbwalker added a commit that referenced this issue Oct 14, 2024
@sbwalker
Merge pull request #4725 from sbwalker/dev
d952c33 
fix #4714 as well as breaking change in #4712
@thabaum
Copy link
Contributor Author

thabaum commented Oct 14, 2024
edited
Loading

@sbwalker this issue is ONLY in interactive mode as I believe static rendering uses HTTP.

Just to be sure
If static: HttpOnly = True

and

If Interactive: HttpOnly = false // cookie is updated using JS Interop

I just want to be sure we want this set to false for static as well if it is working with static set to true. I believe it is the signalR that makes it javascript calls instead of http? Would this be correct? Which is my suggestion to check which mode is set to avoid XSS attacks in Static (http) calls.

Please correct me if I am wrong.

I would also like to review the visitor cookie as well working in both interactive and static modes.

@thabaum thabaum mentioned this issue Oct 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Localization Cookie Static Conditional HttpOnly=True thabaum/oqtane.framework
1 participant
@thabaum