Made sure all cookies were strict and https only

2023-08-02 14:16:22 +02:00 · 2018-06-21 00:14:11 -07:00 · 2018-06-21 00:14:11 -07:00 · b2902d7090
commit b2902d7090
parent 39d875e4cf
3 changed files with 13 additions and 4 deletions
--- a/Teknik/Areas/User/Utility/UserHelper.cs
+++ b/Teknik/Areas/User/Utility/UserHelper.cs
@ -1334,7 +1334,7 @@ If you recieved this email and you did not reset your password, you can ignore t
            {
                HttpOnly = true,
                Secure = true,
-                Expires = DateTime.Now.AddYears(1)
+                Expires = DateTime.Now.AddDays(30)
            };

            // Set domain dependent on where it's being ran from
--- a/Teknik/Areas/User/Views/User/TwoFactorCheck.cshtml
+++ b/Teknik/Areas/User/Views/User/TwoFactorCheck.cshtml
@ -30,7 +30,7 @@
                                    <input id="RememberDevice" type="checkbox" value="true" name="RememberDevice" /><input name="RememberDevice" type="hidden" value="false"> Remember Device 
                                </label>
                            </div>
-                            <small>Set this device as a trusted device.  It is not advised to trust a public computer.</small>
+                            <small>Set this device as a trusted device for 30 days.  It is not advised to trust a public computer.</small>
                            <br />
                            <br />
                            }
--- a/Teknik/Startup.cs
+++ b/Teknik/Startup.cs
@ -87,6 +87,8 @@ namespace Teknik
                {
                    options.Cookie.Domain = null;
                    options.Cookie.Name = "TeknikAuth";
+                    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+                    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
                    options.LoginPath = "/User/User/Login";
                    options.LogoutPath = "/User/User/Logout";
                    options.EventsType = typeof(TeknikCookieAuthenticationEvents);
@ -110,7 +112,12 @@ namespace Teknik
            services.AddSession();

            // Set the anti-forgery cookie name
-            services.AddAntiforgery(options => options.Cookie.Name = "TeknikAntiForgery");
+            services.AddAntiforgery(options =>
+            {
+                options.Cookie.Name = "TeknikAntiForgery";
+                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+                options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
+            });

            // Core MVC
            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
@ -138,7 +145,9 @@ namespace Teknik
                Cookie = new CookieBuilder()
                {
                    Domain = null,
-                    Name = "TeknikSession"
+                    Name = "TeknikSession",
+                    SecurePolicy = CookieSecurePolicy.Always,
+                    SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict
                }
            });