Response cookies Append inconsistently applies SameSite default

Question

Response cookies Append inconsistently applies SameSite default

aspnet-hello opened this issue 8 years ago · 5 comments

From @Tratcher on Wednesday, December 27, 2017 9:11:02 AM

The two Append overloads have inconsistent behavior for the samesite property that was added in 2.0.

                context.Response.Cookies.Append("Name1", "Value1");
                context.Response.Cookies.Append("Name2", "Value2", new CookieOptions());

Set-Cookie:Name1=Value1; path=/
Set-Cookie:Name2=Value2; path=/; samesite=lax

The two overloads should have the same defaults.

I noticed because we're making changes to CookiePolicy for http://github.com/aspnet/Security/issues/1561 and adding it to the templates. This will have the side-effect of causing the Append API to consistently use the second overload's behavior.

Copied from original issue: aspnet/HttpAbstractions#982

Tratcher commented 7 years ago

#8212

Answer 1 · 2018-01-31T22:07:39.000Z

This is a bug, but fixing it is a breaking change. We'll fix this in 3.0.0.

Answer 2 · 2019-01-30T18:21:34.000Z

@Tratcher feel free to close if you feel breaking change is not worth it.

Answer 3 · 2019-01-30T18:22:57.000Z

SameSite has been such a mine field that the best default here would likely be None. That goes for CookiePolicy as well. We can turn it up for specific components.

@blowdart

Answer 4 · 2019-01-30T19:06:21.000Z

Yea sigh :( None should be the default.