【问题标题】:How to set secure on .AspNetCore.OpenIdConnect.Nonce and .AspNetCore.Correlation cookies?如何在 .AspNetCore.OpenIdConnect.Nonce 和 .AspNetCore.Correlation cookie 上设置安全?
【发布时间】:2022-01-18 18:29:16
【问题描述】:

我有一个 ASP.NET Core 6 MVC Razor pages 应用程序,它使用 Microsoft Identity 进行 AzureAD 集成身份验证,在 Azure Linux AppService 计划上运行(使用强制 HTTPS)。

身份验证集成就像一个魅力。再开心不过了。

但在我的日志中,我看到如下警告:

cookie '".AspNetCore.Correlation.[...]"' 已设置 'SameSite=None' 并且还必须设置 'Secure'。

(对于 .AspNetCore.OpenIdConnect.Nonce cookie)。

我已尝试添加 cookie 策略:

app.UseCookiePolicy(new CookiePolicyOptions
{
    HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always,
    MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.None,
    Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always
});

但没有快乐。

我尝试了位于“var app = builder.Build();”之后的代码在“app.UseAuthentication(); app.UseAuthorization();”之后(就在 app.MapRazorPages().RequireAuthorization("MyRoleId") 之前)。

关于如何将这些 cookie 设置为安全的任何想法?

【问题讨论】:

    标签: c# asp.net-core cookies azure-web-app-service microsoft-identity-web


    【解决方案1】:

    一般情况下,cookie 策略将添加在app.UseAuthentication(); 之前,因为这将写入 cookie。这是代码:-

    var builder = WebApplication.CreateBuilder(args);
    
    // Add services to the container.
    builder.Services.AddRazorPages();
    
    var app = builder.Build();
    
    // Configure the HTTP request pipeline.
    if (!app.Environment.IsDevelopment())
    {
        app.UseExceptionHandler("/Error");
        // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
        app.UseHsts();
    }
    
    app.UseHttpsRedirection();
    app.UseStaticFiles();
    app.UseRouting();
    
    // Add this before any other middleware that might write cookies
    app.UseCookiePolicy(new CookiePolicyOptions
    {
        HttpOnly = HttpOnlyPolicy.Always,
        MinimumSameSitePolicy = SameSiteMode.None,
        Secure = CookieSecurePolicy.Always
    });
    
    // This will write cookies, so make sure it's after the cookie policy
    app.UseAuthorization();
    app.MapRazorPages();
    app.Run();
    

    【讨论】:

      猜你喜欢
      • 2011-10-12
      • 1970-01-01
      • 2010-11-29
      • 2018-04-28
      • 1970-01-01
      • 2013-11-25
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多