SameSite cookie properties in mixed sync/async execution

dbrackett · May 26, 2023, 8:14pm

Up until recently, we have been mixing sync and async execution of custom authentication providers within the ServiceStack AuthFeature framework. In doing so, we’ve run into an issue with SameSite cookie properties.

Previously, we were using the current IRequest in the context of an AppHost.HttpCookieFilter override (from HostContext.TryGetCurrentRequest()) to get the information necessary to determine if a cookie needed to be SameSite=None. When moving to the async model, we lose that context.

Is there an alternate way to achieve selective use of SameSite=None? If not, would it be possible to have the IRequest provided on the AppHost.HttpCookieFilter() method?

mythz · May 27, 2023, 3:21am

You can override SetCookieFilter() in your AppHost to intercept cookies being set with the IRequest context, returning false prevents the Cookie from being set, here’s the default impl:

public virtual bool SetCookieFilter(IRequest req, Cookie cookie)
{
    if (req.Response.HasStarted)
        return false;
    return AllowSetCookie(req, cookie.Name);
}