Skip to content

[2.1] CookieChunkingManager needs to flow the Secure attribute for Delete operations #17953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 15, 2020
Merged

[2.1] CookieChunkingManager needs to flow the Secure attribute for Delete operations #17953

merged 2 commits into from
Jan 15, 2020

Conversation

Tratcher
Copy link
Member

@Tratcher Tratcher commented Dec 18, 2019
edited
Loading

#17833

This comes from an external report of customers using IdentityServer4. When testing SameSite behavior in Chrome with Core 2.1 they were able to login successfully but had trouble logging out. The new SameSite browser policy requires all cookies that set SameSite=None to also set the secure attribute. Secure was included for sign-in, but it was not included for the sign-out delete cookie because previously there was no need.

This is possible to work around by copying the ChunkingCookieManager class (300 lines) into your application and applying the changes (5 lines).

This was previously fixed in 3.0 independently from the SameSite changes and was not included in the SameSite downlevel patches.

Impact: Moderate. Hitting this issue requires setting a non-default but commonly used option (SameSite=None on the authentication cookie). Applications did this in the past to avoid problems with iOS 12.

Risk: Low. These changes are small and were already included in 3.0.

Set as Draft until the next 2.1.x servicing window opens.

Should this be ported to 2.2.x? 2.2 has reached end-of-life.

@Tratcher Tratcher added Servicing-consider Shiproom approval is required for the issue area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer labels Dec 18, 2019
@Tratcher Tratcher added this to the 2.1.x milestone Dec 18, 2019
@Tratcher Tratcher requested review from analogrelay and HaoK December 18, 2019 20:36
@Tratcher Tratcher self-assigned this Dec 18, 2019
@analogrelay
Copy link
Contributor

Should this be ported to 2.2.x? 2.2 has reached end-of-life.

No, it's reached end of life so we don't intend to backport.

@jamshedd jamshedd added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Jan 7, 2020
@jamshedd
Copy link
Member

jamshedd commented Jan 7, 2020

Approved for Feb.

@analogrelay analogrelay mentioned this pull request Jan 8, 2020
Merged
@analogrelay analogrelay assigned analogrelay and unassigned Tratcher Jan 8, 2020
@vivmishra vivmishra modified the milestones: 2.1.x, 2.1.17 Jan 9, 2020
@vivmishra
Copy link

Moved to Mar as per Tactics. Will need to be explicitly approved for Feb, if required.

@analogrelay
Copy link
Contributor

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

@analogrelay analogrelay modified the milestones: 2.1.17, 2.1.16 Jan 15, 2020
@Tratcher Tratcher marked this pull request as ready for review January 15, 2020 17:27
@Tratcher Tratcher requested a review from JunTaoLuo January 15, 2020 18:06
@analogrelay analogrelay merged commit 8211a1c into release/2.1 Jan 15, 2020
@analogrelay analogrelay deleted the tratcher/2.1/samesite branch January 15, 2020 19:07
This was referenced Jan 17, 2020
Closed
Closed
mindlink pushed a commit to mindlink/aspnetcore that referenced this pull request Nov 25, 2020
@Tratcher
Merged PR 5387: [2.2 internal] CookieChunkingManager needs to flow th…
b2f92a5 
…e Secure attribute for Delete operations

dotnet#17953. This is an internal port of the 2.1 fix for extended partners support only.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@analogrelay analogrelay analogrelay approved these changes

@HaoK HaoK Awaiting requested review from HaoK

@JunTaoLuo JunTaoLuo Awaiting requested review from JunTaoLuo

Assignees

@analogrelay analogrelay

Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer Servicing-approved Shiproom has approved the issue
Projects
None yet
Milestone
2.1.16
Development

Successfully merging this pull request may close these issues.
4 participants
@Tratcher @analogrelay @jamshedd @vivmishra