我有一个ASP。NET Core 6 MVC Razor页面应用程序,使用Microsoft Identity for AzureAD集成身份验证在Azure Linux AppService计划上运行(具有强制HTTPS(。
身份验证集成就像一种魅力。再高兴不过了。
但在我的日志中,我看到了这样的警告:
cookie";。AspNetCore。相关性[…]"已设置"SameSite=None",还必须设置"Secure"。
(以及.AspNetCore.OpenIdConnect.Nonce cookie(。
我尝试添加cookie策略:
app.UseCookiePolicy(new CookiePolicyOptions
{
HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always,
MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.None,
Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always
});
但没有快乐。
我试着把代码放在";var app=生成器。Build(("并且紧接在";应用程序。UseAuthentication((;应用程序。使用授权(("(就在app.MapRazorPages((.RequireAuthorization("MyRoleId"(之前(。
关于如何将这些cookie设置为安全的,有什么想法吗?
通常,cookie策略将添加到app.UseAuthentication();
之前,因为这将写入cookie。这是代码:-
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddRazorPages();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
// Add this before any other middleware that might write cookies
app.UseCookiePolicy(new CookiePolicyOptions
{
HttpOnly = HttpOnlyPolicy.Always,
MinimumSameSitePolicy = SameSiteMode.None,
Secure = CookieSecurePolicy.Always
});
// This will write cookies, so make sure it's after the cookie policy
app.UseAuthorization();
app.MapRazorPages();
app.Run();