-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use SystemWebCookieManager by default #485
Conversation
Wooooot, I was really tempted to open a ticket to suggest doing that when I posted dotnet/aspnetcore#45278 (comment) 2 weeks ago 😅 The idea is great, but the layering - having I'd suggest opting for a different approach, designed after what already exists for
It's a bit more code, but it solves the layering problem very nicely. |
Oh, and since you're making my wildest dreams come true, what about making |
Yeah, that's what put me off this approach for so long. Ultimately though, this is full framework so that dependency doesn't really mean much, it's all there on disk regardless. Worst case an extra assembly gets loaded at runtime for self-host apps. I'm less concerned about that since Katana is disproportionately used on System.Web.
Sure :-) |
It's likely not unreasonable, but The |
Ok, have fun |
Ha, C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.dll is 5mb! And that doesn't include transitive dependencies. |
Would this be a factory that returns a ICookieManager? Maybe with an option for chunking? |
Not gonna lie, setting up that repo was quite a challenge 😅
Anyway, I gave it a try and here's the result: kevinchalet@6c14fc2 It's very crude ATM but if it's an approach you like, it can be polished. Two things to note:
|
Yeah, switching to the new build infrastructure left some rough edges 😁. I'm tempted to remove those sandbox projects. |
Or convert them to SDK-style projects using CZEMacLeod's MSBuild.SDK.SystemWeb? 😄 The result is incredible: https://github.com/openiddict/openiddict-core/blob/dev/sandbox/OpenIddict.Sandbox.AspNet.Client/OpenIddict.Sandbox.AspNet.Client.csproj (that project even builds on macOS/Linux thanks to the .NET Framework reference assemblies package, mind blowing... ) |
Copying these comments here so they don't disappear once the branch will be removed. I made the same experiment but without the loosely-typed tuples: kevinchalet@500ca47 Unsurprisingly, it's much less "OWINy" - it had its own charm - but it simplifies things a lot 🤣 |
Very nice. Want to send a PR? |
Yeah, I'll do that. Note: one of the two concerns vanished when removing the loosely-typed OWINisms, but the other one remains. Should we do something to avoid a behavior change?
|
I'm not concerned about anyone reading that property. Did you have any examples of that in the aspnet-contrib libs? |
Opened: #486.
Nope. The only - unusual? - pattern I can think of would be this one: var options = new OpenIdConnectAuthenticationOptions();
options.CookieManager = new MyCookieManagerWrapperThatDoesSameSiteStuff(options.CookieManager);
app.UseOpenIdConnectAuthentication(options); |
This is the only part of this PR left. Want to include that in your other PR, or send a separate one for it? |
Done: #488 Many generations of poor people DOSed by |
This mitigates https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues for most users by defaulting to the SystemWeb cookies collection when available.
@kevinchalet thoughts?