Description
Cookie name encoding being removed to prevent spoofing of security prefixes
The HTTP cookie standard only allows specific characters in cookie names and values. ASP.NET Core and other web frameworks accommodate disallowed characters in these fields by encoding them when creating a response cookie and decoding when reading a request cookie.
This encoding behavior is being changed in response to a security concern.
Version introduced
5.0
Old behavior
Response cookie names would be encoded, and request cookie names would be decoded.
New behavior
In .NET 5.0 we will remove the cookie name encoding and decoding. For prior supported versions we plan a mitigate the decoding issue in place.
Cookie value encoding and decoding will not be changed.
Reason for change
An issue was discovered in multiple web frameworks where this encoding/decoding could allow an attacker to bypass a security feature called cookie prefixes by spoofing the reserved prefixes like __Host- with encoded values like __%48ost-. This attack requires a secondary exploit in order to inject the spoofed cookies, such as an XSS vulnerability in the web site. These prefixes are not used by default in ASP.NET Core or Microsoft.Owin libraries or templates.
All versions of ASP.NET Core and Microsoft.Owin are affected.
Recommended action
Applications moving to .NET 5.0 should ensure that their cookie names conform to the token spec requirements: ASCII characters excluding controls and separators "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT. The use of non-ASCII characters in cookie names or other HTTP headers may cause an exception from the server, or be improperly round tripped by the client.
Category
ASP.NET
Affected APIs
HttpRequest.Cookies
HttpResponse.Cookies
IOwinRequest.Cookies
IOwinResponse.Cookies