[2.1] CookieChunkingManager needs to flow the Secure attribute… (#17953)

Author: Tratcher

eng/PatchConfig.props

@@ -50,4 +50,10 @@ Later on, this will be checked using this condition:
       Microsoft.AspNetCore.SignalR.Core;
     </PackagesInPatch>
   </PropertyGroup>
+  <PropertyGroup Condition=" '$(VersionPrefix)' == '2.1.16' ">
+    <PackagesInPatch>
+      Microsoft.AspNetCore.Authentication.Cookies;
+      Microsoft.AspNetCore.Mvc.Core;
+    </PackagesInPatch>
+  </PropertyGroup>
 </Project>

src/Security/Authentication/OpenIdConnect/samples/OpenIdConnectSample/Startup.cs

@@ -45,7 +45,7 @@ public Startup(IHostingEnvironment env)
 
         private void CheckSameSite(HttpContext httpContext, CookieOptions options)
         {
-            if (options.SameSite > (SameSiteMode)(-1))
+            if (options.SameSite == SameSiteMode.None)
             {
                 var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
                 // TODO: Use your User Agent library of choice here.

src/Security/Authentication/test/WsFederation/WsFederationTest.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -190,7 +190,7 @@ public async Task RemoteSignoutRequestTriggersSignout()
             response.EnsureSuccessStatusCode();
 
             var cookie = response.Headers.GetValues(HeaderNames.SetCookie).Single();
-            Assert.Equal(".AspNetCore.Cookies=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax", cookie);
+            Assert.Equal(".AspNetCore.Cookies=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax; httponly", cookie);
             Assert.Equal("OnRemoteSignOut", response.Headers.GetValues("EventHeader").Single());
             Assert.Equal("", await response.Content.ReadAsStringAsync());
         }
@@ -440,4 +440,4 @@ protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage reques
             }
         }
     }
-}
+}

src/Security/CookiePolicy/test/CookieChunkingTests.cs

@@ -21,6 +21,29 @@ public void AppendLargeCookie_Appended()
             Assert.Equal("TestCookie=" + testString + "; path=/; samesite=lax", values[0]);
         }
 
+        [Fact]
+        public void AppendLargeCookie_WithOptions_Appended()
+        {
+            HttpContext context = new DefaultHttpContext();
+            var now = DateTimeOffset.UtcNow;
+            var options = new CookieOptions
+            {
+                Domain = "foo.com",
+                HttpOnly = true,
+                SameSite = SameSiteMode.Strict,
+                Path = "/bar",
+                Secure = true,
+                Expires = now.AddMinutes(5),
+                MaxAge = TimeSpan.FromMinutes(5)
+            };
+            var testString = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+            new ChunkingCookieManager() { ChunkSize = null }.AppendResponseCookie(context, "TestCookie", testString, options);
+
+            var values = context.Response.Headers["Set-Cookie"];
+            Assert.Single(values);
+            Assert.Equal($"TestCookie={testString}; expires={now.AddMinutes(5).ToString("R")}; max-age=300; domain=foo.com; path=/bar; secure; samesite=strict; httponly", values[0]);
+        }
+
         [Fact]
         public void AppendLargeCookieWithLimit_Chunked()
         {
@@ -112,19 +135,19 @@ public void DeleteChunkedCookieWithOptions_AllDeleted()
             HttpContext context = new DefaultHttpContext();
             context.Request.Headers.Append("Cookie", "TestCookie=chunks-7");
 
-            new ChunkingCookieManager().DeleteCookie(context, "TestCookie", new CookieOptions() { Domain = "foo.com" });
+            new ChunkingCookieManager().DeleteCookie(context, "TestCookie", new CookieOptions() { Domain = "foo.com", Secure = true });
             var cookies = context.Response.Headers["Set-Cookie"];
             Assert.Equal(8, cookies.Count);
             Assert.Equal(new[]
             {
-                "TestCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
-                "TestCookieC1=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
-                "TestCookieC2=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
-                "TestCookieC3=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
-                "TestCookieC4=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
-                "TestCookieC5=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
-                "TestCookieC6=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
-                "TestCookieC7=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax",
+                "TestCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure; samesite=lax",
+                "TestCookieC1=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure; samesite=lax",
+                "TestCookieC2=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure; samesite=lax",
+                "TestCookieC3=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure; samesite=lax",
+                "TestCookieC4=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure; samesite=lax",
+                "TestCookieC5=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure; samesite=lax",
+                "TestCookieC6=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure; samesite=lax",
+                "TestCookieC7=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; secure; samesite=lax",
             }, cookies);
         }
     }

src/Shared/ChunkingCookieManager/ChunkingCookieManager.cs

@@ -169,6 +169,7 @@ public void AppendResponseCookie(HttpContext context, string key, string value,
                 HttpOnly = options.HttpOnly,
                 Path = options.Path,
                 Secure = options.Secure,
+                MaxAge = options.MaxAge,
             };
 
             var templateLength = template.ToString().Length;
@@ -285,8 +286,10 @@ public void DeleteCookie(HttpContext context, string key, CookieOptions options)
                     Path = options.Path,
                     Domain = options.Domain,
                     SameSite = options.SameSite,
+                    Secure = options.Secure,
                     IsEssential = options.IsEssential,
                     Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc),
+                    HttpOnly = options.HttpOnly,
                 });
 
             for (int i = 1; i <= chunks; i++)
@@ -300,8 +303,10 @@ public void DeleteCookie(HttpContext context, string key, CookieOptions options)
                         Path = options.Path,
                         Domain = options.Domain,
                         SameSite = options.SameSite,
+                        Secure = options.Secure,
                         IsEssential = options.IsEssential,
                         Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc),
+                        HttpOnly = options.HttpOnly,
                     });
             }
         }