Comments (3)
For anybody else who finds this issue later...
It's not as simple as a middleware that intercepts outgoing headers and adds ; Partitioned
to certain Set-Cookie
statements. That's only half the solution.
Regular cookie expiry from OWIN (e.g. owinContext.Response.Cookies.Delete( cookieName )
does not use Secure, SameSite, etc. even if the original cookie was created with it, for example:
Let's say the original cookie was created like this:
Set-Cookie: MyCookieName=somevalue; path=/foo; HttpOnly; Secure; SameSite=None
The call to owinContext.Response.Cookies.Delete( cookieName )
will generate a response header like this:
Set-Cookie: MyCookieName=; path=/foo; expires=Thu, 01-Jan-1970 00:00:00 GMT
This apparently works fine for clearing non-partitioned cookies, but not for partitioned ones. For those we have to do more like:
Set-Cookie: MyCookieName=; path=/foo; expires=Thu, 01-Jan-1970 00:00:00 GMT; Secure; SameSite=None; Partitioned
But of course we have no way of knowing from the server side which variant the browser has in storage, so we have to send both kinds of Set-Cookie
for the same cookie name. And since "session" cookies live forever these days, we have to assume the old ones are hanging around out there.
Also, I agree with @jeffshirley -- when a browser with the majority of the web traffic switches their standard, it's a critical compatibility issue.
from aspnetkatana.
This project is not in active development.
We make only critical security and compatibility fixes here.
All feature development has moved to ASP.NET Core which already has an issue for this - dotnet/aspnetcore#53224
from aspnetkatana.
Iād argue that this qualifies as a critical compatibility issue.
from aspnetkatana.
Related Issues (20)
- Having vulnerabilities on Microsoft.Owin.Security.OpenIdConnect, 4.2.2 HOT 2
- ClockSkew Ignored by OAuthBearerAuthenticationHandler HOT 2
- Requests are run on IOCP threads by default in OwinHttpListener HOT 5
- Attempt to access method System.Management.Instrumentation.InstrumentedAttribute..ctor(System.String) in violation of security transparency rules failed. HOT 2
- Question: Why does the 4.2.2 package specifically require .NET Framework 4.5? HOT 2
- System.NullReferenceException: Object reference not set to an instance of an object HOT 9
- App redirects to different Auth Type refresh token URL. HOT 4
- Strange behavior on port 50000 for Owin self hosting.... HOT 8
- OpenIdConnectProtocolValidator cannot validate state HOT 4
- Should OIDC middleware be refreshing a `code id_token` when close to expiry? HOT 3
- Session in ASP.NET WebForm is cleared after authenticated by Entra ID with CookieAuthentication and WsFederationAuthentication HOT 2
- Always a object reference error when trying to host a webapi in owin self hosted HOT 3
- owin.RequestId always empty guid string HOT 3
- Microsoft.Owin.Security.WsFederation has a vulnerable Newtonsoft.Json package dependency HOT 10
- how do you remove additional query parameters HOT 1
- Migrate to 1ES pipelines HOT 2
- RedeemCode sends request from server HOT 2
- Upgraded OWIN libraries from version 3.0.1 to 4.2.0 Http RequestUri is coming in capital later. HOT 1
- Odd DLL version numbering preventing debugging HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aspnetkatana.