Skip to content
This repository was archived by the owner on Dec 13, 2018. It is now read-only.

Changing name of correlation and nonce cookie in OpenID Connect middleware #1033

Closed
jonas-stjernquist opened this issue Nov 10, 2016 · 2 comments
Closed

Changing name of correlation and nonce cookie in OpenID Connect middleware #1033

jonas-stjernquist opened this issue Nov 10, 2016 · 2 comments
Labels
3 - Done enhancement
Milestone
2.0.0

Comments

@jonas-stjernquist
Copy link

I'm using the two ASP.NET Core middlewares for OpenID Connect and cookie authentication like below:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationScheme = "cookie",
    CookieName = "clientcookiename",
    CookieHttpOnly = true,
    CookieSecure = _hostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always,
    AutomaticAuthenticate = true,
    AutomaticChallenge = false,
    ExpireTimeSpan = TimeSpan.FromMinutes(60)
});

var oidcOptions = new OpenIdConnectOptions
{
    AuthenticationScheme = "oidc",
    SignInScheme = "cookie",                
    ...
};
app.UseOpenIdConnectAuthentication(oidcOptions);

During login in the web application this results in some default cookies related to nonce and correlation which look like this (exported from my browser developer tools):

{
    "domain": "localhost",
    "expirationDate": 1478762475.872038,
    "hostOnly": true,
    "httpOnly": true,
    "name": ".AspNetCore.OpenIdConnect.Nonce.CfDJ...ihRRfQid0Rw",
    "path": "/",
    "sameSite": "no_restriction",
    "secure": false,
    "session": false,
    "storeId": "0",
    "value": "N",
    "id": 1
  },
  {
    "domain": "localhost",
    "expirationDate": 1478762474.872093,
    "hostOnly": true,
    "httpOnly": true,
    "name": ".AspNetCore.Correlation.oidc.Apx...XlCFhuc...Hcq8",
    "path": "/",
    "sameSite": "no_restriction",
    "secure": false,
    "session": false,
    "storeId": "0",
    "value": "N",
    "id": 2
  }

I would like to change the CookieName of these cookies in order to make my web applications more anonymous. Why publicly expose the fact that my web applications run ASP.NET Core?

The cookie options is hard coded:

https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationHandler.cs#L198

https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs#L896

Will a change of CookieName have any consequences in some other place I'm not aware of?
@Eilon Eilon added this to the 1.2.0 milestone Nov 17, 2016
@Eilon
Copy link
Member

Eilon commented Nov 17, 2016

We should also add this to the OAuth providers.

@Eilon Eilon modified the milestones: 1.2.0, 2.0.0 Dec 15, 2016
@Eilon Eilon modified the milestones: Backlog, 2.0.0-preview1 Mar 2, 2017
@Eilon Eilon added the up-for-grabs We will consider contributions label Mar 2, 2017
@svher svher mentioned this issue Jul 11, 2017
Closed
@Tratcher Tratcher added 3 - Done and removed 1 - Ready up-for-grabs We will consider contributions labels Jul 11, 2017
@Tratcher Tratcher modified the milestones: 2.0.0, Backlog Jul 11, 2017
@Tratcher
Copy link
Member

This has been fixed as part of https://github.com/aspnet/Security/pull/1284/files#diff-5f153b21e61d008634c479494de719d6

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
3 - Done enhancement
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
3 participants
@Eilon @jonas-stjernquist @Tratcher