How to configure httponly and secure flag in .net core 2.0?

Raju Pandey picture Raju Pandey · Mar 19, 2018 · Viewed 13.2k times · Source

There is no error But I am unable to configuration httponly status in browser. Can you check my code please.

public void ConfigureServices(IServiceCollection services)
    {
        services.AddDistributedMemoryCache();
        services.AddMvc();
        services.AddSession(options =>
        {
            // Set a short timeout for easy testing.
            options.IdleTimeout = TimeSpan.FromMinutes(20);
            options.Cookie.HttpOnly = true;
            options.Cookie.SameSite = SameSiteMode.Strict;
            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
          });
      }
 public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
       app.UseSession();
        app.UseStaticFiles();

        app.UseCookiePolicy(new CookiePolicyOptions
        {
            HttpOnly = HttpOnlyPolicy.Always,
            Secure =CookieSecurePolicy.Always,
            MinimumSameSitePolicy=SameSiteMode.None
        });
      }

Answer

Marco picture Marco · Mar 19, 2018

According to the documentation you can configure HttpOnly via IApplicationBuilder.UseCookiePolicy():

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    /*..*/
    app.UseStaticFiles();
    app.UseSession();
    app.UseCookiePolicy(new CookiePolicyOptions
    {
        HttpOnly = HttpOnlyPolicy.Always
    });
}