-
Notifications
You must be signed in to change notification settings - Fork 193
Continuation of encoding in Cookie discussion #547
Comments
An example of Base64 cookie interop with ASPNET without OWIN and with as was needed in Microsoft.OWIN: app.UseCookieAuthentication(
new CookieAuthenticationOptions
{
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType,
CookieDomain = ".domain.com",
CookieName = "PreExistingCookieName",
TicketDataFormat = new WifTokenFormat(), //Replaces ' ' with '+' cause yeah.
SlidingExpiration = true,
Provider = new CookieAuthenticationProvider
{
OnResponseSignedIn = context =>
{
context.Response.Headers["Set-Cookie"] = Uri.UnescapeDataString(context.Response.Headers["Set-Cookie"]
.Replace(' ', '+'));
}
}
}); |
Would it be possible with the new DI services in ASPNET to inject a CookieEncodingService instead of hard-coding an impl, I think that would satisfy both camps. |
@psibernetic Great idea! |
#515 is unrelated, it's a parsing failure, so it never even gets to the un-escaping step. |
@psibernetic please add sample data inputs and outputs for both the request and response headers. |
I have created a sample project using Katana to demonstrate the functionality that was ported over that is causing issues, it should adequately show the bug. The example data I used was: //Had to come up with a string that would output a + in the encoded result
// xml seems to do the trick.
const string Base64ExampleText = @"<tag attribute=""><childtag></tag>"; Raw base64 output and what is in my cookie:
IOwinContext.Request.Cookies output:
Which throws https://github.com/psibernetic/KatanaCookieBase64IssueExample I haven't had time to use the ASPNET 5 implementation yet, but the code was ported over from Katana. Additionally, Thanks. |
Adding a link to RFC 4648 which describes base64url encoding scheme. I believe this should be the default strategy moving forward, but should be configurable for each cookie for interoperability. ExpressJS does this through a Middleware option function called encode for setting cookies, but makes no assumption on how cookies are to be read. |
I went digging through the Katana code to figure out why We no longer share parsers between these components so I will remove this special case from the cookie code path. This will allow us to read base64 cookies as-is. This does not affect any of the other encoding or decoding. |
Thanks for the the resolution @Tratcher. |
@psibernetic @Tratcher In addition to In Should the |
@BrandonClapp Please open a new issue and include example values. |
We are running Microsoft.Owin v3.1.0 and are still experiencing this problem:
returns a string value with base64 encoded data in it (here, only a part has been shown) |
@LordRhialto Please report Microsoft.Owin issues to https://github.com/aspnet/aspnetkatana |
Refers to #535 & PR #546
Also open on Katana: http://katanaproject.codeplex.com/workitem/442
@Tratcher
Forcefully encoding and forcefully decoding breaks interoperability with existing solutions other than Microsoft.Owin. Furthermore cookie handling is now non-symmetrical in operations. Both the write and read use Uri.EscapeDataString, but the read operation does extra work which invalidates Base64.
The text was updated successfully, but these errors were encountered: