dohertj2/scadaproj
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
05a4a547f465dd28dd1a56172d3bb49e9273bd30
scadaproj/ZB.MOM.WW.Auth/src/ZB.MOM.WW.Auth.AspNetCore/ZbCookieDefaults.cs
T

55 lines
2.4 KiB
C#
Raw Blame History

using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Http;
namespace ZB.MOM.WW.Auth.AspNetCore;
/// <summary>
/// Applies the hardened cookie-authentication defaults shared by ZB.MOM.WW apps:
/// HTTP-only, <see cref="SameSiteMode.Strict"/>, sliding expiration, a caller-supplied idle
/// timeout, and a configurable HTTPS requirement.
/// </summary>
/// <remarks>
/// The cookie <em>name</em> is intentionally left untouched: each app owns its own cookie name
/// (so two apps on the same host do not clobber each other's session), and the caller sets it
/// when configuring the cookie scheme.
/// </remarks>
public static class ZbCookieDefaults
{
/// <summary>
/// Default idle timeout used when a caller does not supply one. After this much inactivity
/// the (sliding) session cookie expires and the principal must re-authenticate.
/// </summary>
public static readonly TimeSpan DefaultIdleTimeout = TimeSpan.FromMinutes(30);
/// <summary>
/// Applies the hardened defaults to <paramref name="options"/>.
/// </summary>
/// <param name="options">The cookie-authentication options to mutate.</param>
/// <param name="requireHttps">
/// When <see langword="true"/> (the default), the cookie is only ever sent over HTTPS
/// (<see cref="CookieSecurePolicy.Always"/>). Set to <see langword="false"/> only for local
/// development over plain HTTP (<see cref="CookieSecurePolicy.SameAsRequest"/>: Secure is
/// still set when the current request is HTTPS, which is safer than <c>None</c>).
/// </param>
/// <param name="idleTimeout">
/// The sliding idle timeout. Defaults to <see cref="DefaultIdleTimeout"/> when not specified.
/// </param>
/// <exception cref="ArgumentNullException"><paramref name="options"/> is <see langword="null"/>.</exception>
public static void Apply(
CookieAuthenticationOptions options,
bool requireHttps = true,
TimeSpan? idleTimeout = null)
{
ArgumentNullException.ThrowIfNull(options);
options.Cookie.HttpOnly = true;
options.Cookie.SameSite = SameSiteMode.Strict;
options.Cookie.SecurePolicy = requireHttps
? CookieSecurePolicy.Always
: CookieSecurePolicy.SameAsRequest;
options.SlidingExpiration = true;
options.ExpireTimeSpan = idleTimeout ?? DefaultIdleTimeout;
}
}
Reference in New Issue View Git Blame Copy Permalink