Merge pull request #4725 from sbwalker/dev

fix #4714 as well as breaking change in #4712
oqtane · Oct 14, 2024 · d952c33 · d952c33
2 parents 0e5b370 + 93bc1cd
commit d952c33
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 9 deletions.
diff --git a/Oqtane.Client/UI/Interop.cs b/Oqtane.Client/UI/Interop.cs
@@ -16,6 +16,11 @@ public Interop(IJSRuntime jsRuntime)
             _jsRuntime = jsRuntime;
         }
 
+        public async Task SetCookie(string name, string value, int days)
+        {
+            await SetCookie(name, value, days, true, "Lax");
+        }
+
         public Task SetCookie(string name, string value, int days, bool secure, string sameSite)
         {
             try

diff --git a/Oqtane.Maui/wwwroot/js/interop.js b/Oqtane.Maui/wwwroot/js/interop.js
@@ -6,11 +6,11 @@ Oqtane.Interop = {
         d.setTime(d.getTime() + (days * 24 * 60 * 60 * 1000));
         var expires = "expires=" + d.toUTCString();
         var cookieString = name + "=" + value + ";" + expires + ";path=/";
-        if (sameSite === "Lax" || sameSite === "Strict" || sameSite === "None") {
-            cookieString += `; SameSite=${sameSite}`;
-        }
         if (secure) {
-            cookieString += "; Secure";
+            cookieString += "; secure";
+        }
+        if (sameSite === "Lax" || sameSite === "Strict" || sameSite === "None") {
+            cookieString += "; SameSite=" + sameSite;
         }
         document.cookie = cookieString;
     },

diff --git a/Oqtane.Server/Components/App.razor b/Oqtane.Server/Components/App.razor
@@ -609,7 +609,7 @@
             Expires = DateTimeOffset.UtcNow.AddYears(1),
             SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute
             Secure = true, // Ensure the cookie is only sent over HTTPS
-            HttpOnly = true // Optional: Helps mitigate XSS attacks
+            HttpOnly = false // cookie is updated using JS Interop
         };
 
         Context.Response.Cookies.Append(

diff --git a/Oqtane.Server/wwwroot/js/interop.js b/Oqtane.Server/wwwroot/js/interop.js
@@ -6,11 +6,11 @@ Oqtane.Interop = {
         d.setTime(d.getTime() + (days * 24 * 60 * 60 * 1000));
         var expires = "expires=" + d.toUTCString();
         var cookieString = name + "=" + value + ";" + expires + ";path=/";
-        if (sameSite === "Lax" || sameSite === "Strict" || sameSite === "None") {
-            cookieString += `; SameSite=${sameSite}`;
-        }
         if (secure) {
-            cookieString += "; Secure";
+            cookieString += "; secure";
+        }
+        if (sameSite === "Lax" || sameSite === "Strict" || sameSite === "None") {
+            cookieString += "; SameSite=" + sameSite;
         }
         document.cookie = cookieString;
     },