Nonce cookie should honour CookieAuthenticationOptions.CookieSecure option in UseCookieAuthentication()

[rcarde]

The nonce cookie's Secure flag is set in RememberNonce() and is based on whether the Request is secure or not. This causes issues where a web app is deployed via a reverse proxy that is doing TLS offloading and the back end connection is not secure.

With SameSite = None, the cookie should always be secure; however, there may be times when the cookie should honour the request.

The solution here would be to adopt the value for CookieAuthenticationOptions.CookieSecure set in UseCookieAuthentication(). By default, CookieAuthenticationOptions.CookieSecure is set to CookieSecureOption.SameAsRequest which is consistent with the current behaviour. The advantage is that the default can be overridden with CookieSecureOption.Always and allows for an insecure request to return the nonce cookie marked as Secure.

[Tratcher]

See https://github.com/aspnet/AspNetKatana/issues/422#issuecomment-876111322

[ghost]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.