How to configure httponly and secure flag in .net core 2.0?

.net authentication asp.net-core cookie-httponly

15,612

Solution 1

According to the documentation you can configure HttpOnly via IApplicationBuilder.UseCookiePolicy():

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    /*..*/
    app.UseStaticFiles();
    app.UseSession();
    app.UseCookiePolicy(new CookiePolicyOptions
    {
        HttpOnly = HttpOnlyPolicy.Always
    });
}

Solution 2

In ASP.NET Core 2.X you can use the following code:

public void ConfigureServices(IServiceCollection services)
{
     // This can be removed after https://github.com/aspnet/IISIntegration/issues/371
     services.AddAuthentication(
        options =>
        {
             //Blah Blah Blah
         }).AddCookie(opts =>
         {
              opts.Cookie.HttpOnly = false;
          });
 }

 public void Configure(IApplicationBuilder app)
 {
     app.UseAuthentication();
 }

Note that this changed from ASP.NET Core 1.X

15,612

Raju Pandey

Updated on June 04, 2022

Comments

Raju Pandey almost 2 years

There is no error But I am unable to configuration httponly status in browser. Can you check my code please.

public void ConfigureServices(IServiceCollection services)
    {
        services.AddDistributedMemoryCache();
        services.AddMvc();
        services.AddSession(options =>
        {
            // Set a short timeout for easy testing.
            options.IdleTimeout = TimeSpan.FromMinutes(20);
            options.Cookie.HttpOnly = true;
            options.Cookie.SameSite = SameSiteMode.Strict;
            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
          });
      }
 public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
       app.UseSession();
        app.UseStaticFiles();

        app.UseCookiePolicy(new CookiePolicyOptions
        {
            HttpOnly = HttpOnlyPolicy.Always,
            Secure =CookieSecurePolicy.Always,
            MinimumSameSitePolicy=SameSiteMode.None
        });
      }

Tiago Martins Peres about 6 years

Please explain what exactly and specifically you want to do and what is the problem you are facing.
Chris Pratt about 6 years

Post the text of the exception you're receiving and your code as text as well. Images can be used to aid understanding, but your question must be able to stand on its own without them.
Raju Pandey about 6 years

In the chrome browser Setting-under Advance - content settings - cookies -See all cookies and site data - click in site name Flag are should be - Accessible to script No (HttpOnly) and Send for Secure connections only

Raju Pandey about 6 years

Thank you for you Answer, There is no error But I am still unable to configuration httponly status in browser.
Raju Pandey about 6 years

public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseSession(); app.UseStaticFiles(); app.UseCookiePolicy(new CookiePolicyOptions { HttpOnly = HttpOnlyPolicy.Always, Secure =CookieSecurePolicy.Always, MinimumSameSitePolicy=SameSiteMode.None }); }
Raju Pandey about 6 years

public void ConfigureServices(IServiceCollection services) { services.AddDistributedMemoryCache(); services.AddMvc(); services.AddSession(options => { options.IdleTimeout = TimeSpan.FromMinutes(20); options.Cookie.HttpOnly = true; options.Cookie.SameSite = SameSiteMode.Strict; options.Cookie.SecurePolicy = CookieSecurePolicy.Always; }); }
Marco about 6 years

Please edit your question. Do not post code as a comment. This is unreadable
Evan over 3 years

In case it helps anyone else, this didn't work when I put it at the end of the Configure method, but did when I moved it higher up.
Marco over 3 years

@Evan Yes - order matters when using middleware.