Localization Cookie Static Conditional HttpOnly=True #4730
Conversation
Refactor cookie handling to set HttpOnly based on render mode - Set HttpOnly=true for Static render mode and HttpOnly=false for Interactive mode.
|
I am not going to merge this PR as there is the real possibility that if a site starts with Static render mode (the default) and later changes to Interactive - the users of the site would run into issues setting the language cookie and would need to manually remove the cookie from their browser in order to get it to work properly. |
I can confirm: whit this PR a cookie that starts httpOnly in Static mode stay unchanged when switching to interactive, then the user have to manullay remove cookie to go on. I agree language cookie can be httpOnly=false for any mode, has no sensitive content, even being manipulated by any allowed actor on client side, it can make no harm. |
|
thanks for the explanation and review |
|
Could we expire the cookie, then create a new one? |
|
@thabaum If a cookie has HttpOnly disabled it does not mean your site is vulnerable to attack. HttpOnly is only an extra layer of defense (for those browsers that actually support it). XSS requires an initial attack vector - the injection of executable JavaScript into a page. If your site allows a malicious user to inject JavaScript then they could include a script which can read the value of cookies. HttpOnly prevents scripts from reading cookie values. So it's useful as an additional safeguard for authentication cookies or cookies which store other confidential information. But if your site allows malicious scripts to be injected then you obviously have much bigger problems to worry about than just cookies. |
Fix #4714
#4703
#4728
This adds a conditional checks in
LangaugeSwitcher.razorcomponent andApp.razorcomponent to check if current rendermode is static and setHttpOnly=Trueif it is for the culture cookie when created. Otherwise sets to false.