Add httpOnly flag to ss-id/ss-pid servicestack cookies

445 views Asked by At

I'm working on a self-hosted windows HTTP service using service stack, I have a request to implement basic authentication (username/password) to authenticate the calling applications. This is the code I'm using right now and it's working fine:

        Plugins.Add(new AuthFeature(() => new AuthUserSession() {},
 new IAuthProvider[] { new BasicAuthProvider() })); //CustomBasicAuthProvider()

        container.Register<ICacheClient>(new MemoryCacheClient());

        var userRepository = new InMemoryAuthRepository();
        container.Register<IUserAuthRepository>(userRepository);
        string hash;
        string salt;

        new SaltedHash().GetHashAndSaltString("passwordinhere", out hash, out salt);
                userRepository.CreateUserAuth(new UserAuth()
                {
                    Id = 1,
                    DisplayName = "userdisplayname",
                    UserName = "usernameinhere",
                    PasswordHash = hash,
                    Salt = salt
                }
                    , "app");

When I inspect the response header coming from my service I see clearly that it contains 2 cookies:

Set-Cookie: ss-id=dT8Yy6ejhgfjhgfkVvcxcxCNtngYRS4;path=/

Set-Cookie: ss-pid=p4lsgo18JhYF4CTcxkhgkhgffRZob;path=/;expires=Fri, 09 Jan 2037 12:17:03 GMT

I need to configure ServiceStack to add ;httpOnly flag to those cookies for security purpose but I can't find how to do it.

So guys, anyone has an idea how to do that? any idea is very welcome.

Thanks in advance for your help :)

1

There are 1 answers

1
mythz On BEST ANSWER

You can control whether HttpOnly flag are set on Cookies with Config.AllowNonHttpOnlyCookies which by default is false so would always set the HttpOnly flag. Unfortunately this setting was ignored with self-hosts which is now resolved with this commit which will now populate HttpOnly flag for all Cookies by default.

This change is available from v4.5.5+ that's now available on MyGet.