Added support for Set-Cookie's SameSite attribute in ResponseCookieCollection (#299)

Gradi · Tratcher · commit 39221f8b7008 · 2019-09-06T14:42:19.000-07:00
diff --git a/src/Microsoft.Owin/CookieOptions.cs b/src/Microsoft.Owin/CookieOptions.cs
@@ -47,5 +47,12 @@ public CookieOptions()
         /// </summary>
         /// <returns>true if a cookie is accessible by client-side script; otherwise, false.</returns>
         public bool HttpOnly { get; set; }
+
+        /// <summary>
+        /// Gets or sets a value that indicates on which requests client should or should not send cookie back to the server.
+        /// Set to null to do not include SameSite attribute at all.
+        /// </summary>
+        /// <returns>SameSite attribute value or null if attribute must not be set.</returns>
+        public SameSiteMode? SameSite { get; set; }
     }
 }
diff --git a/src/Microsoft.Owin/Microsoft.Owin.csproj b/src/Microsoft.Owin/Microsoft.Owin.csproj
@@ -95,6 +95,7 @@
     <Compile Include="Infrastructure\SystemClock.cs" />
     <Compile Include="Infrastructure\WebUtils.cs" />
     <Compile Include="ResponseCookieCollection.cs" />
+    <Compile Include="SameSiteMode.cs" />
     <Compile Include="Security\AuthenticateResult.cs" />
     <Compile Include="Security\AuthenticationDescription.cs" />
     <Compile Include="Extensions\IntegratedPipelineExtensions.cs" />
diff --git a/src/Microsoft.Owin/ResponseCookieCollection.cs b/src/Microsoft.Owin/ResponseCookieCollection.cs
@@ -56,6 +56,7 @@ public void Append(string key, string value, CookieOptions options)
             bool domainHasValue = !string.IsNullOrEmpty(options.Domain);
             bool pathHasValue = !string.IsNullOrEmpty(options.Path);
             bool expiresHasValue = options.Expires.HasValue;
+            bool sameSiteHasValue = options.SameSite.HasValue;
 
             string setCookieValue = string.Concat(
                 Uri.EscapeDataString(key),
@@ -66,10 +67,12 @@ public void Append(string key, string value, CookieOptions options)
                 !pathHasValue ? null : "; path=",
                 !pathHasValue ? null : options.Path,
                 !expiresHasValue ? null : "; expires=",
-                !expiresHasValue ? null : options.Expires.Value.ToString("ddd, dd-MMM-yyyy HH:mm:ss ", CultureInfo.InvariantCulture) + "GMT",
+                !expiresHasValue ? null : options.Expires.Value.ToString("ddd, dd-MMM-yyyy HH:mm:ss \\G\\M\\T", CultureInfo.InvariantCulture),
                 !options.Secure ? null : "; secure",
-                !options.HttpOnly ? null : "; HttpOnly");
-            Headers.AppendValues("Set-Cookie", setCookieValue);
+                !options.HttpOnly ? null : "; HttpOnly",
+                !sameSiteHasValue ? null : "; SameSite=",
+                !sameSiteHasValue ? null : GetStringRepresentationOfSameSite(options.SameSite.Value));
+            Headers.AppendValues(Constants.Headers.SetCookie, setCookieValue);
         }
 
         /// <summary>
@@ -138,5 +141,25 @@ public void Delete(string key, CookieOptions options)
                 Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc),
             });
         }
+
+        /// <summary>
+        /// Analogous to ToString() but without boxing so
+        /// we can save a bit of memory.
+        /// </summary>
+        private static string GetStringRepresentationOfSameSite(SameSiteMode siteMode)
+        {
+            switch (siteMode)
+            {
+                case SameSiteMode.None:
+                    return "None";
+                case SameSiteMode.Lax:
+                    return "Lax";
+                case SameSiteMode.Strict:
+                    return "Strict";
+                default:
+                    throw new ArgumentOutOfRangeException("siteMode",
+                        string.Format(CultureInfo.InvariantCulture, "Unexpected SameSiteMode value: {0}", siteMode));
+            }
+        }
     }
 }
diff --git a/src/Microsoft.Owin/SameSiteMode.cs b/src/Microsoft.Owin/SameSiteMode.cs
@@ -0,0 +1,21 @@
+namespace Microsoft.Owin
+{
+    /// <summary>
+    /// Indicates if the client should include a cookie on "same-site" or "cross-site" requests.
+    /// </summary>
+    public enum SameSiteMode
+    {
+        /// <summary>
+        /// Indicates the client should send the cookie with every requests coming from any origin.
+        /// </summary>
+        None = 0,
+        /// <summary>
+        /// Indicates the client should send the cookie with "same-site" requests, and with "cross-site" top-level navigations.
+        /// </summary>
+        Lax,
+        /// <summary>
+        /// Indicates the client should only send the cookie with "same-site" requests.
+        /// </summary>
+        Strict
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -47,5 +47,12 @@ public CookieOptions()`
`47`	`47`	`/// </summary>`
`48`	`48`	`/// <returns>true if a cookie is accessible by client-side script; otherwise, false.</returns>`
`49`	`49`	`public bool HttpOnly { get; set; }`
	`50`	`+`
	`51`	`+ /// <summary>`
	`52`	`+ /// Gets or sets a value that indicates on which requests client should or should not send cookie back to the server.`
	`53`	`+ /// Set to null to do not include SameSite attribute at all.`
	`54`	`+ /// </summary>`
	`55`	`+ /// <returns>SameSite attribute value or null if attribute must not be set.</returns>`
	`56`	`+ public SameSiteMode? SameSite { get; set; }`
`50`	`57`	`}`
`51`	`58`	`}`