Additional content on Cookie Policy Middleware #8382
Conversation
|
@kichalla please review. |
|
@Tratcher are you the right person to review Cookie Policy Middleware? |
|
I'm going for changes here that reflect Kiran's remarks here 👉 aspnet/Mvc#8233 (comment) |
| @@ -118,6 +132,10 @@ public void Configure(IApplicationBuilder app) | |||
| // Authenticate before you access secure resources. | |||
| app.UseIdentity(); | |||
|
|
|||
| // If the app uses session state, call Session Middleware after Cookie | |||
| // Policy Middleware and before MVC Middleware. | |||
There was a problem hiding this comment.
There's no cookie policy in this example.
| @@ -209,6 +227,7 @@ ASP.NET Core ships with the following middleware components. The *Order* column | |||
| | Middleware | Description | Order | | |||
| | ---------- | ----------- | ----- | | |||
| | [Authentication](xref:security/authentication/identity) | Provides authentication support. | Before `HttpContext.User` is needed. Terminal for OAuth callbacks. | | |||
| | [Cookie Policy](xref:security/gdpr) | Ask for (and track) consent from users for storing personal information. | Before Session Middleware, if present. | | |||
There was a problem hiding this comment.
It does not request consent, it only tracks it. It also enforces minimum standards for cookie fields like secure and SameSite.
There was a problem hiding this comment.
@Tratcher There's a consent button, and this remark on consent in the topic ...
Obtains the state of tracking for the user. If the app is configured to require consent, the user must consent before cookies can be tracked.
I shamelessly stole the line in the table almost word-for-word from the topic ... see the 2nd bullet of the introduction at 👉 https://docs.microsoft.com/aspnet/core/security/gdpr
Do I need to make changes to both topics?
There was a problem hiding this comment.
Provide a link to a doc on Session Middleware.
There was a problem hiding this comment.
The template UI that shows a consent button is independent of the middleware. Consent is requested and granted through the UI, and then the middleware tracks that result for future requests. The GDPR doc is fine because it's talking about the end-to-end scenario.
There was a problem hiding this comment.
Gotcha ... thanks.
| 2. Static file server | ||
| 3. Authentication | ||
| 4. MVC | ||
| The following `Configure` method adds middleware components for common app scenarios: |
There was a problem hiding this comment.
Configure --> Startup.Configure
| @@ -209,6 +227,7 @@ ASP.NET Core ships with the following middleware components. The *Order* column | |||
| | Middleware | Description | Order | | |||
| | ---------- | ----------- | ----- | | |||
| | [Authentication](xref:security/authentication/identity) | Provides authentication support. | Before `HttpContext.User` is needed. Terminal for OAuth callbacks. | | |||
| | [Cookie Policy](xref:security/gdpr) | Ask for (and track) consent from users for storing personal information. | Before Session Middleware, if present. | | |||
There was a problem hiding this comment.
Provide a link to a doc on Session Middleware.
Several of the tables last-column cells refer to other middlewares in the table. I didn't provide links in that column for any of them because all of them are already in the table. Session Middleware is the same ... it's the third from the bottom. I figured it's best not to have double links in the table. [EDIT] ... or we have to link all of them. I'm in favor of just one link. The dev can see the list, so they should be able to find them (Famous last words ... put that on my tombstone plz! lol). |
Fixes #8041
Internal Review Topic (Middleware)
Internal Review Topic (GDPR)
@kichalla Follows your remarks on aspnet/Mvc#8233.