How to configure httponly and secure flag in .net core 2.0?
15,612
Solution 1
According to the documentation you can configure HttpOnly
via IApplicationBuilder.UseCookiePolicy()
:
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
/*..*/
app.UseStaticFiles();
app.UseSession();
app.UseCookiePolicy(new CookiePolicyOptions
{
HttpOnly = HttpOnlyPolicy.Always
});
}
Solution 2
In ASP.NET Core 2.X you can use the following code:
public void ConfigureServices(IServiceCollection services)
{
// This can be removed after https://github.com/aspnet/IISIntegration/issues/371
services.AddAuthentication(
options =>
{
//Blah Blah Blah
}).AddCookie(opts =>
{
opts.Cookie.HttpOnly = false;
});
}
public void Configure(IApplicationBuilder app)
{
app.UseAuthentication();
}
Note that this changed from ASP.NET Core 1.X
Related videos on Youtube
Author by
Raju Pandey
Updated on June 04, 2022Comments
-
Raju Pandey almost 2 years
There is no error But I am unable to configuration httponly status in browser. Can you check my code please.
public void ConfigureServices(IServiceCollection services) { services.AddDistributedMemoryCache(); services.AddMvc(); services.AddSession(options => { // Set a short timeout for easy testing. options.IdleTimeout = TimeSpan.FromMinutes(20); options.Cookie.HttpOnly = true; options.Cookie.SameSite = SameSiteMode.Strict; options.Cookie.SecurePolicy = CookieSecurePolicy.Always; }); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseSession(); app.UseStaticFiles(); app.UseCookiePolicy(new CookiePolicyOptions { HttpOnly = HttpOnlyPolicy.Always, Secure =CookieSecurePolicy.Always, MinimumSameSitePolicy=SameSiteMode.None }); }
-
Tiago Martins Peres about 6 yearsPlease explain what exactly and specifically you want to do and what is the problem you are facing.
-
Chris Pratt about 6 yearsPost the text of the exception you're receiving and your code as text as well. Images can be used to aid understanding, but your question must be able to stand on its own without them.
-
Raju Pandey about 6 yearsIn the chrome browser Setting-under Advance - content settings - cookies -See all cookies and site data - click in site name Flag are should be - Accessible to script No (HttpOnly) and Send for Secure connections only
-
-
Raju Pandey about 6 yearsThank you for you Answer, There is no error But I am still unable to configuration httponly status in browser.
-
Raju Pandey about 6 yearspublic void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseSession(); app.UseStaticFiles(); app.UseCookiePolicy(new CookiePolicyOptions { HttpOnly = HttpOnlyPolicy.Always, Secure =CookieSecurePolicy.Always, MinimumSameSitePolicy=SameSiteMode.None }); }
-
Raju Pandey about 6 yearspublic void ConfigureServices(IServiceCollection services) { services.AddDistributedMemoryCache(); services.AddMvc(); services.AddSession(options => { options.IdleTimeout = TimeSpan.FromMinutes(20); options.Cookie.HttpOnly = true; options.Cookie.SameSite = SameSiteMode.Strict; options.Cookie.SecurePolicy = CookieSecurePolicy.Always; }); }
-
Marco about 6 yearsPlease edit your question. Do not post code as a comment. This is unreadable
-
Evan over 3 yearsIn case it helps anyone else, this didn't work when I put it at the end of the Configure method, but did when I moved it higher up.
-
Marco over 3 years@Evan Yes - order matters when using middleware.