How to configure httponly and secure flag in .net core 2.0?
There is no error But I am unable to configuration httponly status in browser. Can you check my code please.
public void ConfigureServices(IServiceCollection services)
{
services.AddDistributedMemoryCache();
services.AddMvc();
services.AddSession(options =>
{
// Set a short timeout for easy testing.
options.IdleTimeout = TimeSpan.FromMinutes(20);
options.Cookie.HttpOnly = true;
options.Cookie.SameSite = SameSiteMode.Strict;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseSession();
app.UseStaticFiles();
app.UseCookiePolicy(new CookiePolicyOptions
{
HttpOnly = HttpOnlyPolicy.Always,
Secure =CookieSecurePolicy.Always,
MinimumSameSitePolicy=SameSiteMode.None
});
}
Answer
According to the documentation you can configure HttpOnly via IApplicationBuilder.UseCookiePolicy():
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
/*..*/
app.UseStaticFiles();
app.UseSession();
app.UseCookiePolicy(new CookiePolicyOptions
{
HttpOnly = HttpOnlyPolicy.Always
});
}