Stop cookies sending?

gandaldf · February 3, 2016, 12:21am

Hi, I would like to know if there’s a way to tell SS to stop send cookies.
I read here: Self Host + Serve static files with no cookies? that cookies are added with SessionFeature and implicitly by AuthFeature.
I’m trying to develop a token based authentication system using a custom credentials auth provider and I wouldn’t need t the cookies, there is any solution for this?

Thank you!

mythz · February 3, 2016, 12:33am

The Cookies are populated by the Request Filter registered in the SessionFeature so you could remove the last Request Filter added after you’ve registered the AuthFeature (which registers the SessionFeature), but note the cookies are used to identify the Users Session, if they’re not going to exist you’ll need to populate req.Items[SessionFeature.SessionId] yourself.

Another option is to just clear the Cookies after they’ve been added with:

res.ClearCookies();

//req.Response.ClearCookies(); // from IRequest

gandaldf · February 3, 2016, 9:45am

I don’t know if I had understand… In the first case should I do something like this?

Plugins.Add(
    new AuthFeature(() => new CustomUserSession(),
        new IAuthProvider[] {
            new CustomAuthProvider()
        }
    )
);

this.GlobalRequestFilters.Remove(SessionFeature.AddSessionIdToRequestFilter);

and in the second case something like this?

this.GlobalResponseFilters.Add((req, res, responseDto) =>
{
    res.ClearCookies();

    //req.Response.ClearCookies(); // from IRequest
});

…because no one seems to work…

mythz · February 3, 2016, 2:13pm

The Filters are only added when the Plugin is Registered so you could only remove them after they Plugins have been registered either by overriding OnAfterInit():

public override void OnAfterInit() {
    base.OnAfterInit(); //important
}

Or by registering a AfterInitCallbacks which gets called after the AppHost is initialized.

Can you confirm ClearCookies() is being called in the request where the Cookies are added (i.e. in a debugger)? Can you provide the HTTP Response Headers showing the Set-Cookie being returned?

mythz · February 19, 2016, 7:59pm

FYI this should now be easier with the new Config.AllowSessionCookies option to suppress just the Session Cookies:

SetConfig(new HostConfig {
    AllowSessionCookies = true //disable session cookies
});

If you need more control this default behavior is customizable by overriding AppHost.AllowSetCookie().

This change is available from v4.0.53 that’s now available on MyGet.

gandaldf · February 21, 2016, 3:25pm

Thank you Demis… I will check it out!
Is there also a way to rename the cookies?

mythz · February 21, 2016, 5:58pm

No they’re a hard-coded and predictable convention.

gandaldf · February 22, 2016, 9:08am

Ok! no problem… I was just curious.