Open Coder3333 opened 1 year ago
Here is what Antiforgery does: https://github.com/dotnet/aspnetcore/blob/4afe7f612d104b43b690e71d83c18a8bc48aae2d/src/Antiforgery/src/Internal/DefaultAntiforgeryTokenStore.cs#L79-L99
Changing the default for Session would be breaking. Note we also use / for auth. I'm not sure why Antiforgery does something different.
edit nevermind, auth also uses path base by default. https://github.com/dotnet/aspnetcore/blob/4afe7f612d104b43b690e71d83c18a8bc48aae2d/src/Security/Authentication/Core/src/RequestPathBaseCookieBuilder.cs#L22-L38
@Tratcher , I haven't tracked down the Microsoft source code, yet, but in my application AddAuthentication and AddAntiforgery are creating their cookies with the proper path base, even though I am not doing anything to control that value. So far, AddSession is the only one of these that is creating the cookie at "/".
/azp run
I also would appreciate if AddSession
acted in the same way as AddAuthentication
and AddAntiforgery
. Thank you.
Is there an existing issue for this?
Describe the bug
SessionServiceCollectionExtensions.AddSession creates a cookie with the Path of "/", ignoring the path base of the web application. This is further complicated in that AddSession does not provide a way to access the HttpContext, so my code cannot easily set the cookie path to the desired value.
Documents cookie behavior of AddSession: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-7.0#session-options
Documents the problem: https://stackoverflow.com/q/54362266/4194514
Expected Behavior
The cookie created by SessionServiceCollectionExtensions.AddSession should use the path base of the web application, similarly to how antiforgery token does.
Steps To Reproduce
Give your web application a path base and use SessionServiceCollectionExtensions.AddSession to add session to the website, but do not specify a path of the session cookie. You will see in code that the path of the cookie is set by the framework to "/", which I believe comes from SessionDefaults.CookiePath.
Exceptions (if any)
No response
.NET Version
No response
Anything else?
I see 3 different ways to fix this issue.