diff --git a/modules/end-user/src/gpconnect-appointment-checker/Core/Configuration/Infrastructure/ApplicationBuilderExtensions.cs b/modules/end-user/src/gpconnect-appointment-checker/Core/Configuration/Infrastructure/ApplicationBuilderExtensions.cs index 81344f3b..9166bffb 100644 --- a/modules/end-user/src/gpconnect-appointment-checker/Core/Configuration/Infrastructure/ApplicationBuilderExtensions.cs +++ b/modules/end-user/src/gpconnect-appointment-checker/Core/Configuration/Infrastructure/ApplicationBuilderExtensions.cs @@ -1,5 +1,7 @@ using System; +using Microsoft.AspNetCore.Antiforgery; using Microsoft.AspNetCore.Builder; +using Microsoft.Extensions.DependencyInjection; using Microsoft.AspNetCore.Diagnostics.HealthChecks; using Microsoft.AspNetCore.Hosting; using Microsoft.AspNetCore.Http; @@ -36,11 +38,25 @@ public static void ConfigureApplicationBuilderServices(this IApplicationBuilder context.Context.Response.Headers[HeaderNames.CacheControl] = $"public, max-age={TimeSpan.FromSeconds(60 * 60 * 24)}"; } }); - app.UseSession(); + app.UseCookiePolicy(); app.UseRouting(); + app.UseSession(); app.UseResponseCaching(); + app.Use(async (context, next) => + { + var antiForgery = context.RequestServices.GetRequiredService(); + antiForgery.SetCookieTokenAndHeader(context); + await next(context); + }); + + app.Use(async (context, next) => + { + context.Session.SetString("SessionKey", "Session"); + await next(); + }); + app.Use(async (context, next) => { context.Response.GetTypedHeaders().CacheControl = new CacheControlHeaderValue() diff --git a/modules/end-user/src/gpconnect-appointment-checker/Core/Configuration/Infrastructure/ServiceCollectionExtensions.cs b/modules/end-user/src/gpconnect-appointment-checker/Core/Configuration/Infrastructure/ServiceCollectionExtensions.cs index 7ade4fa2..8b8e76bf 100644 --- a/modules/end-user/src/gpconnect-appointment-checker/Core/Configuration/Infrastructure/ServiceCollectionExtensions.cs +++ b/modules/end-user/src/gpconnect-appointment-checker/Core/Configuration/Infrastructure/ServiceCollectionExtensions.cs @@ -26,15 +26,16 @@ public static IServiceCollection ConfigureApplicationServices(this IServiceColle s.Cookie.MaxAge = TimeSpan.FromMinutes(15); s.Cookie.HttpOnly = true; s.Cookie.IsEssential = true; - s.Cookie.SecurePolicy = CookieSecurePolicy.Always; + // s.Cookie.SecurePolicy = CookieSecurePolicy.Always; }); services.Configure(options => { options.ConsentCookie.Name = ".GpConnectAppointmentChecker.ConsentCookie"; options.CheckConsentNeeded = context => true; - options.ConsentCookie.SecurePolicy = CookieSecurePolicy.Always; - options.MinimumSameSitePolicy = SameSiteMode.Strict; + // options.ConsentCookie.SecurePolicy = CookieSecurePolicy.Always; + // options.MinimumSameSitePolicy = SameSiteMode.Strict; + options.MinimumSameSitePolicy = SameSiteMode.None; }); services.Configure(x => x.ValueCountLimit = 100000); @@ -113,8 +114,10 @@ public static IServiceCollection ConfigureApplicationServices(this IServiceColle { options.SuppressXFrameOptionsHeader = true; options.Cookie.HttpOnly = true; - options.Cookie.SecurePolicy = CookieSecurePolicy.Always; - options.Cookie.SameSite = SameSiteMode.Strict; + // options.Cookie.SecurePolicy = CookieSecurePolicy.Always; + // options.Cookie.SameSite = SameSiteMode.Strict; + options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; + options.Cookie.SameSite = SameSiteMode.Lax; }); services