Prevent Session cookies being sent to client

jezzsantos · October 8, 2016, 10:59pm

When using the AuthFeature is it possible to prevent it sending the ss-id, ss-pid, ss-opt and X-UAId cookies to the client?

We are using the JwtAuthProvider to create session-less JWT tokens, and don’t want the extras cookies going to the client.

this is our current setup:

appHost.Plugins.Add(new AuthFeature(() => new AuthUserSession(), new IAuthProvider[]
            {
                new CustomCredentialsAuthProvider(appSettings)
                {
                    SessionExpiry = lifetime,
                },
                new JwtAuthProvider(appSettings)
                {
                    RequireSecureConnection = true,
                    AuthKeyBase64 = appSettings.GetString(JwtAuthNKeySetting),
                    SessionExpiry = lifetime,
                },
            })
            {
                HtmlRedirect = null,
                HtmlLogoutRedirect = @"~/",
                IncludeAssignRoleServices = false,
                IncludeRegistrationService = false,
            });

mythz · October 8, 2016, 11:09pm

You can disable all Session Cookies with:

SetConfig(new HostConfig {
    AllowSessionCookies = false
});

For finer grain control you can override AppHost.AllowSetCookie() to control which Cookies you want to allow.

jezzsantos · October 8, 2016, 11:36pm

Thanks

Just confirming here. We still want the ss-tok cookie to be sent to the client, just not the others.
Does:

SetConfig(new HostConfig {
    AllowSessionCookies = false
});

get rid of the ss-tok cookie as well?

mythz · October 8, 2016, 11:40pm

Doesn’t prevent ss-tok, the AllowSetCookie impl I linked to above shows which Session Cookies are restricted.

jezzsantos · October 9, 2016, 12:42am

Thanks, it works as you said.

Now, last remaining cookie we don’t want is the X-UAId. that is still showing up.

Is it a bug that it shows up? even if we said AllowSessionCookies = false?
Or is it intended that I would have to remove it myself in AppHost.AllowSetCookie()

mythz · October 9, 2016, 1:07am

It’s metadata but it’s not used in ServiceStack, I’ve changed it so AllowSessionCookies also prevents it in this commit.

Will prevent it in next release, you can override AllowSetCookie() to prevent it in the latest version.

jezzsantos · October 9, 2016, 2:01am

Thanks that is great cheers