Uses correct preview cookie same site and secure settings to allow preview mode to flow between links in the preview frame (#18640)

* Uses correct preview cookie same site and secure settings to allow preview mode to flow between links in the preview frame. * Fixed comment.
2025-03-21 15:20:08 +01:00
parent 45b0e43b89
commit 394210a8f7
7 changed files with 235 additions and 8 deletions
--- a/src/Umbraco.Web.Common/AspNetCore/AspNetCoreCookieManager.cs
+++ b/src/Umbraco.Web.Common/AspNetCore/AspNetCoreCookieManager.cs
@@ -3,13 +3,21 @@ using Umbraco.Cms.Core.Web;

 namespace Umbraco.Cms.Web.Common.AspNetCore;

+/// <summary>
+/// An <see cref="ICookieManager"/> implementation for ASP.NET Core.
+/// </summary>
 public class AspNetCoreCookieManager : ICookieManager
 {
    private readonly IHttpContextAccessor _httpContextAccessor;

+    /// <summary>
+    /// Initializes a new instance of the <see cref="AspNetCoreCookieManager"/> class.
+    /// </summary>
+    /// <param name="httpContextAccessor">The <see href="IHttpContextAccessor" />.</param>
    public AspNetCoreCookieManager(IHttpContextAccessor httpContextAccessor) =>
        _httpContextAccessor = httpContextAccessor;

+    /// <inheritdoc/>
    public void ExpireCookie(string cookieName)
    {
        HttpContext? httpContext = _httpContextAccessor.HttpContext;
@@ -21,14 +29,43 @@ public class AspNetCoreCookieManager : ICookieManager

        var cookieValue = httpContext.Request.Cookies[cookieName];

-        httpContext.Response.Cookies.Append(cookieName, cookieValue ?? string.Empty,
-            new CookieOptions { Expires = DateTime.Now.AddYears(-1) });
+        httpContext.Response.Cookies.Append(
+            cookieName,
+            cookieValue ?? string.Empty,
+            new CookieOptions
+            {
+                Expires = DateTime.Now.AddYears(-1),
+            });
    }

+    /// <inheritdoc/>
    public string? GetCookieValue(string cookieName) => _httpContextAccessor.HttpContext?.Request.Cookies[cookieName];

+    /// <inheritdoc/>
+    [Obsolete("Use overload with the secure and sameSiteMode parameters instead. Scheduled for removal in V17.")]
    public void SetCookieValue(string cookieName, string value, bool httpOnly) =>
-        _httpContextAccessor.HttpContext?.Response.Cookies.Append(cookieName, value, new CookieOptions { HttpOnly = httpOnly });
+        SetCookieValue(cookieName, value, httpOnly, false, SameSiteMode.Unspecified.ToString());

-    public bool HasCookie(string cookieName) => !(GetCookieValue(cookieName) is null);
+    /// <inheritdoc/>
+    public void SetCookieValue(string cookieName, string value, bool httpOnly, bool secure, string sameSiteMode)
+    {
+        SameSiteMode sameSiteModeValue = ParseSameSiteMode(sameSiteMode);
+        _httpContextAccessor.HttpContext?.Response.Cookies.Append(
+            cookieName,
+            value,
+            new CookieOptions
+            {
+                HttpOnly = httpOnly,
+                SameSite = sameSiteModeValue,
+                Secure = secure,
+            });
+    }
+
+    private static SameSiteMode ParseSameSiteMode(string sameSiteMode) =>
+        Enum.TryParse(sameSiteMode, ignoreCase: true, out SameSiteMode result)
+            ? result
+            : throw new ArgumentException($"The provided {nameof(sameSiteMode)} value could not be parsed into as SameSiteMode value.", nameof(sameSiteMode));
+
+    /// <inheritdoc/>
+    public bool HasCookie(string cookieName) => GetCookieValue(cookieName) is not null;
 }