Merge pull request #4493 from thabaum/set-samesite-lax-visitor-cultur…

…e-cookies Fix #4492: Updates Culture and Visitor cookies to use "Lax" SameSite and Secure Cookie Options
oqtane · Aug 10, 2024 · 3054d33 · 3054d33
2 parents 6651e64 + dcf919f
commit 3054d33
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/Oqtane.Server/Components/App.razor b/Oqtane.Server/Components/App.razor
@@ -429,7 +429,10 @@
                     new CookieOptions()
                     {
                         Expires = DateTimeOffset.UtcNow.AddYears(10),
-                        IsEssential = true
+                        IsEssential = true,
+                        SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute
+                        Secure = true, // Ensure the cookie is only sent over HTTPS
+                        HttpOnly = true // Optional: Helps mitigate XSS attacks
                     }
                 );
             }
@@ -601,9 +604,19 @@
 
     private void SetLocalizationCookie(string culture)
     {
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions
+        {
+            Expires = DateTimeOffset.UtcNow.AddYears(1),
+            SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute
+            Secure = true, // Ensure the cookie is only sent over HTTPS
+            HttpOnly = true // Optional: Helps mitigate XSS attacks
+        };
+
         Context.Response.Cookies.Append(
             CookieRequestCultureProvider.DefaultCookieName,
-            CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture)));
+            CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture)),
+            cookieOptions
+        );
     }
 
     private async Task<List<Resource>> GetPageResources(Alias alias, Site site, Page page, List<Module> modules, int moduleid, string action)

diff --git a/Oqtane.Server/Startup.cs b/Oqtane.Server/Startup.cs
@@ -100,6 +100,7 @@ public void ConfigureServices(IServiceCollection services)
                 options.Cookie.Name = Constants.AntiForgeryTokenCookieName;
                 options.Cookie.SameSite = SameSiteMode.Strict;
                 options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+                options.Cookie.HttpOnly = true;
             });
 
             services.AddIdentityCore<IdentityUser>(options => { })