search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.4k stars 10k forks source link

AddSession Sets wrong Cookie Path #48165

Open Coder3333 opened 1 year ago

Coder3333 commented 1 year ago

Is there an existing issue for this?

Describe the bug

SessionServiceCollectionExtensions.AddSession creates a cookie with the Path of "/", ignoring the path base of the web application. This is further complicated in that AddSession does not provide a way to access the HttpContext, so my code cannot easily set the cookie path to the desired value.

Documents cookie behavior of AddSession: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-7.0#session-options

Documents the problem: https://stackoverflow.com/q/54362266/4194514

Expected Behavior

The cookie created by SessionServiceCollectionExtensions.AddSession should use the path base of the web application, similarly to how antiforgery token does.

Steps To Reproduce

Give your web application a path base and use SessionServiceCollectionExtensions.AddSession to add session to the website, but do not specify a path of the session cookie. You will see in code that the path of the cookie is set by the framework to "/", which I believe comes from SessionDefaults.CookiePath.

Exceptions (if any)

No response

.NET Version

No response

Anything else?

I see 3 different ways to fix this issue.

  1. Automatically set the cookie Path to the application's PathBase, instead of SessionDefaults.CookiePath.
  2. Change the value of SessionDefaults.CookiePath from "/" to the application's path base.
  3. Add an additional signature to SessionServiceCollectionExtensions.AddSession that accepts the http context, so my custom code can determine the PathBase and set it as the cookie path.
Tratcher commented 1 year ago

Here is what Antiforgery does: https://github.com/dotnet/aspnetcore/blob/4afe7f612d104b43b690e71d83c18a8bc48aae2d/src/Antiforgery/src/Internal/DefaultAntiforgeryTokenStore.cs#L79-L99

Changing the default for Session would be breaking. Note we also use / for auth. I'm not sure why Antiforgery does something different.

edit nevermind, auth also uses path base by default. https://github.com/dotnet/aspnetcore/blob/4afe7f612d104b43b690e71d83c18a8bc48aae2d/src/Security/Authentication/Core/src/RequestPathBaseCookieBuilder.cs#L22-L38

Coder3333 commented 1 year ago

@Tratcher , I haven't tracked down the Microsoft source code, yet, but in my application AddAuthentication and AddAntiforgery are creating their cookies with the proper path base, even though I am not doing anything to control that value. So far, AddSession is the only one of these that is creating the cookie at "/".

ahaeber commented 8 months ago

/azp run

wessleym commented 1 day ago

I also would appreciate if AddSession acted in the same way as AddAuthentication and AddAntiforgery. Thank you.