Reduce duplication when configuring cookie options #853
Comments
|
Review:
|
|
@muratg these would be breaking changes that should be considered for RTM |
|
Alternatively, you could consider using |
|
cc @javiercn |
|
We went with the Action<HttpContext,CookieOptions> approach in the OpenIdConnect/RemoteAuthentication options as needed for aspnet/Security#1262. The twitter middleware is the last one that requires this on the security repo as far as I know. We shouldn't do this for the cookie policy middleware IMO as it would broaden the scope of the middleware and would require more design, and its something that can be revisited on 2.1 |
|
cc @Eilon, @danroth27, @DamianEdwards do we want this in 2.0.0 (and obsolete the existing Options?) Or we can do it in 2.1, but then we can't obsolete them until 3.0. |
|
We'll try to get this in because of the reason I mentioned above. @natemcmaster please consult with @Tratcher on the ideas how to do this. |
|
I exampled the repos Chris listed above. To be consistent with the pattern established by Antiforgery, I believe these are the changes we would make: Security
Session
MVC
LocalizationI didn't find any API that duplicates CookieOptions. @Tratcher? Rewrite
Proposal: leave as is. Normally, a user wouldn't interact with this API. This is "pubternal" anyways. |
|
The localization cookies shouldn't need any changes, they have their own format and are used differently from the cookies in other repos. |
|
Is there any reason we can't just have nested CookieOptions property instead of an |
|
The HttpContext is required for Session and Security because CookieOptions does not take support Side note: I'm not convinced there is enough value in breaking the API. The For comparison: // current
services.AddSession(o =>
{
o.CookiePath = "/somepath";
o.CookieSecure = CookieSecurePolicy.SameAsRequest;
});
// with action property
services.AddSession(o =>
{
o.ConfigureCookieOptions = (context, cookie) =>
{
cookie.Path = "/somepath";
cookie.Secure = context.Request.IsHttps;
};
}); |
|
The current looks simplier to me, what's the benefit of the action? |
|
Consistency and future proofing. Right now every component that uses cookies duplicates some subset of CookieOptions. We're not consistent about which options are exposed across the stack. We've also added several CookieOptions recently and had to go expose those new settings everywhere. If we directly expose the Action/CookieOptions then all of the options are consistently available everywhere, and we don't have to update each component when there are additions. |
|
Can we just add a new SecurePolicy property to CookieOptions, and then add CookieOptions instances to all of the feature options, so it looks like And just resolve the secure property before we use the options? |
|
That doesn't work with concurrent requests unless you clone the CookieOptions each time before modifying the secure setting. |
|
That's about the same as the problem we have with TokenValidationParameters in OpenIdConnect, always having to clone them before we can use them. |
|
That seems okay right? Basically use the options.Cookie as the default cookie options to clone from and its a logical place to hang SecurePolicy. |
|
@natemcmaster Another option I don't think the lambda is terrible and it can be made pretty with a helper method. And the action is better for all the reasons @Tratcher mentions above. |
|
Exposing a sub CookieOptions directly also solves future proofing and consistency, without any of the complexity that the Action brings... So that's not a differentiation between the two choices. I think its also slightly weird to make it look like IOptions/Configure when its not actually using Options |
|
It doesn't need to be the cookie options type directly, that's a per cookie instance. What if there were a cookie settings object that had things like secure policy rather than the secure bool. |
|
Don't we normally use fluent api for builders? I'm can't think of places where we use properties on builders |
|
I wasn't suggesting a builder, just a POCO settings object. |
|
We definitely have some that expose properties: I think its more of a look/feel choice, if we want it to feel like configuring options, I'd go with properties. The fluent seems nicer for chaining via @Tratcher In this case, the builder is a POCO settings object with a Build method, its just clear what its doing from the name this way. |
|
I like this. +1 |
|
Getting there. Build needs to account for SecurePolicy. CookieOptionsBuilder would have most/all of the CookieOptions expose, correct? Include: Domain, Path, SameSite, HttpOnly. Note Build does not need to be a method on the type itself, all of the information is public. We're going to want a version of Build that takes an ISytemClock for calculating expiration. |
|
Yeah it should have all of the properties that are on cookie options. Ideally you have a public Build that does all the common stuff so you can test it in httpabstractions. Each repo could then further tweak after building as stuff like ISystemClock only lives in security right?
… On Jun 29, 2017, at 10:52 AM, Chris Ross ***@***.***> wrote:
Getting there. Build needs to account for SecurePolicy. CookieOptionsBuilder would have most/all of the CookieOptions expose, correct?
Include: Domain, Path, SameSite, HttpOnly.
Exclude: Secure, Expires
Add: CookieSecurePolicy, Name, Expiration (nullable TimeSpan, relative version of Expires).
Note Build does not need to be a method on the type itself, all of the information is public. We're going to want a version of Build that takes an ISytemClock for calculating expiration.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
How about we leave off Expires/Expiration for now until? We don't need it in Session or Antiforgery. We can add it later. Optionally, Security can extend the builder to support ISystemClock. Proposal: namespace Microsoft.AspNetCore.Http
{
public class CookieOptionsBuilder
{
public string Path { get; set; }
public string Domain { get; set; }
public bool HttpOnly { get; set; }
public SameSiteMode SameSite { get; set; }
public CookieSecurePolicy SecurePolicy { get; set; }
public CookieOptions Build(HttpContext context)
{
}
}
} |
|
Is CookieName universal right now? If so maybe we should move that into CookieBuilder/CookieOptions? |
|
It's not. OpenIdConnectOptions doesn't let users fully customize the NonceCookie name. |
|
IMO this is a bit overkill. In my option, having Action<HttpContext,CookieOptions> is more than enough for the following reasons:
|
|
I don't think consumers would agree, personally I'd much rather set options.Cookie.Path = "/path", than wire up some gross looking lambda The public surface area to people is normal options configuration, they don't call build, we call build, so they don't even need to understand what HttpContext is used for cuz they don't see it. |
|
Meeting notes: |
natemcmaster
changed the title
natemcmaster
changed the title
|
This was completed in the following PRs: #882 |
As per discussion in aspnet/Antiforgery#141. We should use the Action<..., CookieOptions> pattern on each components' options to configure the cookie options instead of duplicating them. Need to look through our code base for where we configure cookie options and update them where necessary.
The text was updated successfully, but these errors were encountered: