locked
CreateConsentCookie not working for http protocol RRS feed

  • Question

  • User818337214 posted

    Hi,

    CreateConsentCookie not working for http protocol

    is there any way ? is there any secure mode in settings for http protocol ?

    services.Configure<CookiePolicyOptions>(options =>
                {
                    options.ConsentCookie.Name = "Website-Consent";
                    options.CheckConsentNeeded = context => true;
                    // requires using Microsoft.AspNetCore.Http;
                    options.MinimumSameSitePolicy = SameSiteMode.None;
                });
    @using Microsoft.AspNetCore.Http.Features
    @model WebsiteModel
    @inject IStringLocalizer<SharedResource> Localizer
    @{
        var consentFeature = Context.Features.Get<ITrackingConsentFeature>();
        var showBanner = !consentFeature?.CanTrack ?? false;
        var cookieString = consentFeature?.CreateConsentCookie();
    }
    @if (showBanner)
    {
        if (Model.CommonSetting.CookieConsentIsActive)
        {
            <div class="cookie-box fade show" id="cookie-warning">
                <div class="cookie-box-contents" id="cookie-box">@(Localizer["CookiePolicyContentSummary"])</div>
                <div class="cookie-box-buttons">
                    <a asp-action="Privacy" asp-controller="Home" class="cookie-button">@(Localizer["LearnMore"])</a>
                    <a id="cookie-close" class="cookie-button" href="javascript:void(0);" data-cookie-string="@cookieString">@(Localizer["GotIt"])</a>
                </div>
            </div>
            <script>
                (function () {
                    var button = document.querySelector("#cookie-warning a[data-cookie-string]");
                    button.addEventListener("click", function (event) {
                        document.cookie = button.dataset.cookieString;
                        document.getElementById("cookie-warning").remove();
                    }, false);
                })();
            </script>
        }
        else
        {
            <script>
                (function () {
                    document.cookie = '@cookieString';
                })();
            </script>
        }
    }

    Tuesday, November 10, 2020 10:30 AM

Answers

  • User753101303 posted

    Hi,

    You really need SameSite None? As pointed by https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite it requires Secure (ie https). If not using SameSite none, it should work.

    Still most sensitive stuff such as video or audio capture etc... requires https as well. You should likely consider sooner or later to always use https possibly with a free certificate.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 10, 2020 12:27 PM
  • User818337214 posted

    As pointed by the ealier link if using SameSiteMode.None, you have to use CookieSecurePolicy.Always. If you really have to use this combination you should use https which is generally speaking anyway a good idea for most if not all sites.

    thank you. this is not neccessary for website.

    so I got it how it is working. for simple website, SameSiteMode must be none. for cookie, it has to be as follows

                services.Configure<CookiePolicyOptions>(options =>
                {
                    options.ConsentCookie.Name = "Website-Consent";
                    options.CheckConsentNeeded = context => true;
                    //requires using Microsoft.AspNetCore.Http;
                    options.MinimumSameSitePolicy = SameSiteMode.None;
                    options.ConsentCookie.SecurePolicy = CookieSecurePolicy.None;
                    options.ConsentCookie.SameSite = SameSiteMode.Strict;
                });

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 10, 2020 6:41 PM

All replies

  • User753101303 posted

    Hi,

    You really need SameSite None? As pointed by https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite it requires Secure (ie https). If not using SameSite none, it should work.

    Still most sensitive stuff such as video or audio capture etc... requires https as well. You should likely consider sooner or later to always use https possibly with a free certificate.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 10, 2020 12:27 PM
  • User818337214 posted

    Is there any way for CreateConsentCookie ?

    there are parameters in cookie policy options but it is not working for http

    services.Configure<CookiePolicyOptions>(options =>
                {
                    options.ConsentCookie.Name = "Website-Consent";
                    options.CheckConsentNeeded = context => true;
                    options.Secure = CookieSecurePolicy.None;
                    //requires using Microsoft.AspNetCore.Http;
                    options.MinimumSameSitePolicy = SameSiteMode.None;
                });

    so I have ise this 

            [AllowAnonymous]
            [HttpPost]
            [ValidateAntiForgeryToken] 
            public JsonResult CreateConsentCookie()
            {
                Response.Cookies.Append("Website-Consent", "yes",
                                                       new CookieOptions
                                                       {
                                                           Expires = DateTimeOffset.UtcNow.AddYears(1),
                                                           SameSite = SameSiteMode.Strict,
                                                           MaxAge = TimeSpan.FromDays(365),
                                                           IsEssential = true,
                                                       });
                var result = true;
                return Json(new { result });
            }
    

    Tuesday, November 10, 2020 1:07 PM
  • User753101303 posted

    As pointed by the ealier link if using SameSiteMode.None, you have to use CookieSecurePolicy.Always. If you really have to use this combination you should use https which is generally speaking anyway a good idea for most if not all sites.

    Tuesday, November 10, 2020 4:24 PM
  • User818337214 posted

    As pointed by the ealier link if using SameSiteMode.None, you have to use CookieSecurePolicy.Always. If you really have to use this combination you should use https which is generally speaking anyway a good idea for most if not all sites.

    thank you. this is not neccessary for website.

    so I got it how it is working. for simple website, SameSiteMode must be none. for cookie, it has to be as follows

                services.Configure<CookiePolicyOptions>(options =>
                {
                    options.ConsentCookie.Name = "Website-Consent";
                    options.CheckConsentNeeded = context => true;
                    //requires using Microsoft.AspNetCore.Http;
                    options.MinimumSameSitePolicy = SameSiteMode.None;
                    options.ConsentCookie.SecurePolicy = CookieSecurePolicy.None;
                    options.ConsentCookie.SameSite = SameSiteMode.Strict;
                });

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 10, 2020 6:41 PM