From ffa0ca93798d4759759d1c4cd0abaf3fd0555bd2 Mon Sep 17 00:00:00 2001 From: Cody Date: Wed, 7 Aug 2024 11:52:53 -0700 Subject: [PATCH 1/4] Updates Culture and Visitor cookies to use "Lax" SameSite and Secure cookie options --- Oqtane.Server/Components/App.razor | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/Oqtane.Server/Components/App.razor b/Oqtane.Server/Components/App.razor index 327b686fe..dfa24d54c 100644 --- a/Oqtane.Server/Components/App.razor +++ b/Oqtane.Server/Components/App.razor @@ -429,7 +429,10 @@ new CookieOptions() { Expires = DateTimeOffset.UtcNow.AddYears(10), - IsEssential = true + IsEssential = true, + SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute + Secure = true, // Ensure the cookie is only sent over HTTPS + HttpOnly = true // Optional: Helps mitigate XSS attacks } ); } @@ -601,9 +604,19 @@ private void SetLocalizationCookie(string culture) { + var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions + { + Expires = DateTimeOffset.UtcNow.AddYears(1), + SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute + Secure = true, // Ensure the cookie is only sent over HTTPS + HttpOnly = true // Optional: Helps mitigate XSS attacks + }; + Context.Response.Cookies.Append( CookieRequestCultureProvider.DefaultCookieName, - CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture))); + CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture)), + cookieOptions + ); } private async Task> GetPageResources(Alias alias, Site site, Page page, List modules, int moduleid, string action) From 4bdf2e1cc08589611f015d1388b697ccb4bcfb0a Mon Sep 17 00:00:00 2001 From: Cody Date: Wed, 7 Aug 2024 13:21:18 -0700 Subject: [PATCH 2/4] Update AntiForgery Token Cookie Option to HTTPOnly = true; --- Oqtane.Server/Startup.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/Oqtane.Server/Startup.cs b/Oqtane.Server/Startup.cs index d4bf01610..164d86618 100644 --- a/Oqtane.Server/Startup.cs +++ b/Oqtane.Server/Startup.cs @@ -100,6 +100,7 @@ public void ConfigureServices(IServiceCollection services) options.Cookie.Name = Constants.AntiForgeryTokenCookieName; options.Cookie.SameSite = SameSiteMode.Strict; options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; + options.Cookie.HttpOnly = true; }); services.AddIdentityCore(options => { }) From a5f8651941c659b9d720bfd16d7db6272d95f615 Mon Sep 17 00:00:00 2001 From: Cody Date: Wed, 7 Aug 2024 16:24:18 -0700 Subject: [PATCH 3/4] Revert previous cookie HttpOnly option --- Oqtane.Server/Startup.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/Oqtane.Server/Startup.cs b/Oqtane.Server/Startup.cs index 164d86618..d4bf01610 100644 --- a/Oqtane.Server/Startup.cs +++ b/Oqtane.Server/Startup.cs @@ -100,7 +100,6 @@ public void ConfigureServices(IServiceCollection services) options.Cookie.Name = Constants.AntiForgeryTokenCookieName; options.Cookie.SameSite = SameSiteMode.Strict; options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; - options.Cookie.HttpOnly = true; }); services.AddIdentityCore(options => { }) From dcf919fb36bf65577eaa890f9a2dc545b550befb Mon Sep 17 00:00:00 2001 From: Cody Date: Thu, 8 Aug 2024 12:24:42 -0700 Subject: [PATCH 4/4] Adds AntiForgery Cookie setting options.Cookie.HttpOnly = true; --- Oqtane.Server/Startup.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/Oqtane.Server/Startup.cs b/Oqtane.Server/Startup.cs index d4bf01610..164d86618 100644 --- a/Oqtane.Server/Startup.cs +++ b/Oqtane.Server/Startup.cs @@ -100,6 +100,7 @@ public void ConfigureServices(IServiceCollection services) options.Cookie.Name = Constants.AntiForgeryTokenCookieName; options.Cookie.SameSite = SameSiteMode.Strict; options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; + options.Cookie.HttpOnly = true; }); services.AddIdentityCore(options => { })