I'm working on a self-hosted windows HTTP service using service stack, I have a request to implement basic authentication (username/password) to authenticate the calling applications. This is the code I'm using right now and it's working fine:
Plugins.Add(new AuthFeature(() => new AuthUserSession() {},
new IAuthProvider[] { new BasicAuthProvider() })); //CustomBasicAuthProvider()
container.Register<ICacheClient>(new MemoryCacheClient());
var userRepository = new InMemoryAuthRepository();
container.Register<IUserAuthRepository>(userRepository);
string hash;
string salt;
new SaltedHash().GetHashAndSaltString("passwordinhere", out hash, out salt);
userRepository.CreateUserAuth(new UserAuth()
{
Id = 1,
DisplayName = "userdisplayname",
UserName = "usernameinhere",
PasswordHash = hash,
Salt = salt
}
, "app");
When I inspect the response header coming from my service I see clearly that it contains 2 cookies:
Set-Cookie: ss-id=dT8Yy6ejhgfjhgfkVvcxcxCNtngYRS4;path=/
Set-Cookie: ss-pid=p4lsgo18JhYF4CTcxkhgkhgffRZob;path=/;expires=Fri, 09 Jan 2037 12:17:03 GMT
I need to configure ServiceStack to add ;httpOnly flag to those cookies for security purpose but I can't find how to do it.
So guys, anyone has an idea how to do that? any idea is very welcome.
Thanks in advance for your help :)
You can control whether
HttpOnly
flag are set on Cookies withConfig.AllowNonHttpOnlyCookies
which by default isfalse
so would always set theHttpOnly
flag. Unfortunately this setting was ignored with self-hosts which is now resolved with this commit which will now populateHttpOnly
flag for all Cookies by default.This change is available from v4.5.5+ that's now available on MyGet.