search

NancyFx / Nancy

Lightweight, low-ceremony, framework for building HTTP based services on .Net and Mono
http://nancyfx.org
MIT License
7.16k stars 1.47k forks source link

NancyCookie doesn't have support for SameSite changes #3002

Open drewfreyling opened 4 years ago

drewfreyling commented 4 years ago

Nancy Version: Tested 1.4.5 and 2.0.0

Currently with all the SameSite cookie changes being done in Chrome (and FF and Edge) there is no nice way to set the SameSite options for a NancyCookie. See https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1 for more details.

Particularly this becomes a higher priority now that Chrome 80 is stable and has breaking changes around SameSite properties.

The only currently workaround I can see for the moment is to add a OWIN middleware and manually change the cookies myself.

panManfredini commented 4 years ago

Hi, a bit uglier workaround (but maybe simpler) is to just add "; SameSite=" to the value of the cookie, note the semicolon. At the end what is done is a simple string concat of options.

drewfreyling commented 4 years ago

Yup a class that extends NancyCookie and overrides the ToString method works better as a workaround.

0x414c49 commented 4 years ago

I just made a PR to add SameSite property.