Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core
Barry
October 18th, 2019
SameSite is a 2016 extension to HTTP cookies intended to mitigate cross site request forgery (CSRF). The original design was an opt-in feature which could be used by adding a new SameSite property to cookies. It had two values, Lax and Strict. Setting the value to Lax indicated the cookie should be sent on navigation within the same site, or through GET navigation to your site from other sites. A value of Strict limited the cookie to requests which only originated from the same site. Not setting the property at all placed no restrictions on how the cookie flowed in requests. OpenIdConnect authentication operations (e.g. login, logout), and other features that send POST requests from an external site to the site requesting the operation, can use cookies for correlation and/or CSRF protection. These operations would need to opt-out of SameSite, by not setting the property at all, to ensure these cookies will be sent during their specialized request flows.
Google is now updating the standard and implementing their proposed changes in an upcoming version of Chrome. The change adds a new SameSite value, “None”, and changes the default behavior to “Lax”. This breaks OpenIdConnect logins, and potentially other features your web site may rely on, these features will have to use cookies whose SameSite property is set to a value of “None”. However browsers which adhere to the original standard and are unaware of the new value have a different behavior to browsers which use the new standard as the SameSite standard states that if a browser sees a value for SameSite it does not understand it should treat that value as “Strict”. This means your .NET website will now have to add user agent sniffing to decide whether you send the new None value, or not send the attribute at all.
.NET will issue updates to change the behavior of its SameSite attribute behavior in .NET 4.7.2 and in .NET Core 2.1 and above to reflect Google’s introduction of a new value. The updates for the .NET Framework will be available on November 19th as an optional update via Microsoft Update and WSUS if you use the “Check for Update” functionality. On December 10th it will become widely available and appear in Microsoft Update without you having to specifically check for updates. .NET Core updates will be available with .NET Core 3.1 starting with preview 1, in November.
.NET Core 3.1 will contain an updated enum definition, SameSite.Unspecified which will not set the SameSite property.
The OpenIdConnect middleware for Microsoft.Owin v4.1 and .NET Core will be updated at the same time as their .NET Framework and .NET updates, however we cannot introduce the user agent sniffing code into the framework, this must be implemented in your site code. The implementation of agent sniffing will vary according to what version of ASP.NET or ASP.NET Core you are using and the browsers you wish to support.
For ASP.NET 4.7.2 with Microsoft.Owin 4.1.0 agent sniffing can be implemented using ICookieManager;
public class SameSiteCookieManager : ICookieManager
{ private readonly ICookieManager _innerManager; public SameSiteCookieManager() : this(new CookieManager()) { } public SameSiteCookieManager(ICookieManager innerManager) { _innerManager = innerManager; } public void AppendResponseCookie(IOwinContext context, string key, string value, CookieOptions options) { CheckSameSite(context, options); _innerManager.AppendResponseCookie(context, key, value, options); } public void DeleteCookie(IOwinContext context, string key, CookieOptions options) { CheckSameSite(context, options); _innerManager.DeleteCookie(context, key, options); } public string GetRequestCookie(IOwinContext context, string key) { return _innerManager.GetRequestCookie(context, key); } private void CheckSameSite(IOwinContext context, CookieOptions options) { if (DisallowsSameSiteNone(context) && options.SameSite == SameSiteMode.None) { options.SameSite = null; } } public static bool DisallowsSameSiteNone(IOwinContext context) { // TODO: Use your User Agent library of choice here. var userAgent = context.Request.Headers["User-Agent"]; return userAgent.Contains("BrokenUserAgent") || userAgent.Contains("BrokenUserAgent2") }
}
And then configure OpenIdConnect settings to use the new CookieManager;
app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { // … Your preexisting options … CookieManager = new SameSiteCookieManager(new SystemWebCookieManager())
});
SystemWebCookieManager will need the .NET 4.7.2 or later SameSite patch installed to work correctly.
For ASP.NET Core you should install the patches and then implement the agent sniffing code within a cookie policy. For versions prior to 3.1 replace SameSiteMode.Unspecified with (SameSiteMode)(-1).
private void CheckSameSite(HttpContext httpContext, CookieOptions options)
{ if (options.SameSite > SameSiteMode.Unspecified) { var userAgent = httpContext.Request.Headers["User-Agent"].ToString(); // TODO: Use your User Agent library of choice here. if (/* UserAgent doesn’t support new behavior */) { // For .NET Core < 3.1 set SameSite = -1 options.SameSite = SameSiteMode.Unspecified; } }
} public void ConfigureServices(IServiceCollection services)
{ services.Configure<CookiePolicyOptions>(options => { options.MinimumSameSitePolicy = SameSiteMode.Unspecified; options.OnAppendCookie = cookieContext => CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); options.OnDeleteCookie = cookieContext => CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); });
} public void Configure(IApplicationBuilder app)
{ app.UseCookiePolicy(); // Before UseAuthentication or anything else that writes cookies. app.UseAuthentication(); // …
}
Under testing with the Azure Active Directory team we have found the following checks work for all the common user agents that Azure Active Directory sees that don’t understand the new value.
public static bool DisallowsSameSiteNone(string userAgent)
{
// Cover all iOS based browsers here. This includes:
// - Safari on iOS 12 for iPhone, iPod Touch, iPad
// - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
// - Chrome on iOS 12 for iPhone, iPod Touch, iPad
// All of which are broken by SameSite=None, because they use the iOS networking stack
if (userAgent.Contains("CPU iPhone OS 12") || userAgent.Contains("iPad; CPU OS 12"))
{
return true;
} // Cover Mac OS X based browsers that use the Mac OS networking stack. This includes:
// - Safari on Mac OS X.
// This does not include:
// - Chrome on Mac OS X
// Because they do not use the Mac OS networking stack.
if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") && userAgent.Contains("Version/") && userAgent.Contains("Safari"))
{
return true;
} // Cover Chrome 50-69, because some versions are broken by SameSite=None, // and none in this range require it.
// Note: this covers some pre-Chromium Edge versions, // but pre-Chromium Edge does not require SameSite=None.
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
{
return true;
} return false;
}
This browser list is by no means canonical and you should validate that the common browsers and other user agents your system supports behave as expected once the update is in place.
Chrome 80 is scheduled to turn on the new behavior in February or March 2020, including a temporary mitigation added in Chrome 79 Beta. If you want to test the new behavior without the mitigation use Chromium 76. Older versions of Chromium are available for download.
If you cannot update your framework versions by the time Chrome turns the new behavior in early 2020 you may be able to change your OpenIdConnect flow to a Code flow, rather than the default implicit flow that ASP.NET and ASP.NET Core uses, but this should be viewed as a temporary measure.
We strongly encourage you to download the updated .NET Framework and .NET Core versions when they become available in November and start planning your update before Chrome’s changes are rolled out.
Amazon drops Apple’s 1TB 11-inch iPad Pro to lowest price ever
By Christine McKee Sunday, October 20, 2019, 10:41 am PT (01:41 pm ET)
Apple latest iPad Pro with 1TB of space has just received a $250 markdown on Amazon, bringing the price down to $1,099, a record low. Supplies may be limited, so act fast to snap up the deal.
AppleInsider proudly offers readers some of the best deals on Apple products year round from top retailers like Amazon, Adorama, B&H Photo, Best Buy, and others.
Quiller Media maintains affiliate partnerships with several of these retailers. Although these partnerships do not influence our editorial content, Quiller Media may earn commissions for products purchased via affiliate links.
1TB iPad Pro hits new low price
Amazon’s $250 price drop applies to Apple’s current 11-inch iPad Pro with 1TB storage capacity and Wi-Fi functionality in your choice of Space Gray or Silver. With an MSRP of $1,349, this $1,099.97 price is the lowest ever offered on Amazon, and is at least $50 cheaper than other Apple Authorized Resellers, according to our 11-inch iPad Pro Price Guide.
Other 11-inch iPad Pro storage capacities are also on sale, with prices as low as $674 (a sampling can be found below). And if you plan on taking notes or creating artwork using the 11-inch iPad Pro, the second-generation Apple Pencil 2 is currently $10 off as well.
Best iPad Pro deals
Save on the Apple Pencil 2
2019 AirPods are also on sale
Additional Apple Deals
AppleInsider and Apple authorized resellers are also running a handful of additional exclusive savings this month on Apple hardware that will not only deliver the lowest prices on many of the items, but also throw in discounts on AppleCare and accessories. These deals are as follows:
This is the latest in a series of articles on Cockpit, the easy-to-use, integrated, glanceable, and open web-based interface for your servers. In the first article, we introduced the web user interface. The second and third articles focused on how to perform storage and network tasks respectively.
This article demonstrates how to create and modify local accounts. It also shows you how to install the 389 Directory Server add-on (or plugin). Finally, you’ll see how 389 DS integrates into the Cockpit web service.
Managing local accounts
To start, click the Accounts option in the left column. The main screen provides an overview of local accounts. From here, you can create a new user account, or modify an existing account.
Accounts screen overview in Cockpit
Creating a new account in Cockpit
Cockpit gives sysadmins the ability to easily create a basic user account. To begin, click the Create New Account button. A box appears, requesting basic information such as the full name, username, and password. It also provides the option to lock the account. Click Create to complete the process. The example below creates a new user named Demo User.
Creating a local account in Cockpit
Managing accounts in Cockpit
Cockpit also provides basic management of local accounts. Some of the features include elevating the user’s permissions, password expiration, and resetting or changing the password.
Modifying an account
To modify an account, go back to the accounts page and select the user you wish to modify. Here, we can change the full name and elevate the user’s role to Server Administrator — this adds user to the wheel group. It also includes options for access and passwords.
The Access options allow admins to lock the account. Clicking Never lock account will open the “Account Expiration” box. From here we can choose to Never lock the account, or to lock it on a scheduled date.
Password management
Admins can choose to Set password and Force Change. The first option prompts you to enter a new password. The second option forces users to create a new password the next time they login.
Selecting the Never change password option opens a box with two options. The first is Never expire the password. This allows the user to keep their password without the need to change it. The second option is Require Password change every … days. This determines the amount of days a password can be used before it must be changed.
Adding public keys
We can also add public SSH keys from remote computers for password-less authentication. This is equivalent to the ssh-copy-id command. To start, click the Add Public Key (+) button. Finally, copy the public key from a remote machine and paste it into the box.
To remove the key, click the remove (-) button to the right of the key.
Terminating the session and deleting an account
Near the top right-corner are two buttons: Terminate Session, and Delete. Clicking the Terminate Session button immediately disconnects the user. Clicking the Delete button removes the user and offers to delete the user’s files with the account.
Modifying and deleting a local account with Cockpit
Managing 389 Directory Server
Cockpit has a plugin for managing the 389 Directory Service. To add the 389 Directory Server UI, run the following command using sudo:
$ sudo dnf install cockpit-389-ds
Because of the enormous number of settings, Cockpit provides detailed optimization of the 389 Directory Server. Some of these settings include:
Server Settings: Options for server configuration, tuning & limits, SASL, password policy, LDAPI & autobind, and logging.
Security: Enable/disable security, certificate management, and cipher preferences.
Database: Configure the global database, chaining, backups, and suffixes.
Replication: Pertains to agreements, Winsync agreements, and replication tasks.
Schema: Object classes, attributes, and matching rules.
Plugins: Provides a list of plugins associated with 389 Directory Server. Also gives admins the opportunity to enable/disable, and edit the plugin.
Monitoring: Shows database performance stats. View DB cache hit ratio and normalized DN cache. Admins can also configure the amount of tries, and hits. Furthermore, it provides server stats and SNMP counters.
Due to the abundance of options, going through the details for 389 Directory Server is beyond the scope of this article. For more information regarding 389 Directory Server, visit their documentation site.
Managing 389 Directory Server with Cockpit
As you can see, admins can perform quick and basic user management tasks. However, the most noteworthy is the in-depth functionality of the 389 Directory Server add-on.
The next article will explore how Cockpit handles software and services.
Check Out Luigi's Mansion 3's New ScreamPark Multiplayer Mode
Luigi's Mansion 3 arrives on Nintendo Switch next week, and in addition to the main story, the game features two distinct multiplayer modes: the returning ScareScraper from Luigi's Mansion: Dark Moon, and a new mode dubbed ScreamPark. Ahead of the game's release, Nintendo has shared a lengthy video showing off the latter.
Unlike ScareScraper, which has players working cooperatively to clear floors of a tower, ScreamPark is a local, head-to-head party mode that pits two teams against each other in different mini-games. The video below starts off with Ghost Hunt, which has the teams vying to vacuum up the most ghosts within the time limit, but it also gives us our first look at a mini-game called Cannon Barrage, where the object is to load a cannon and fire it at rotating targets.
Both ScreamPark and ScareScraper support up to eight players, but the latter is playable either locally or online. Nintendo had previously confirmed that Luigi's Mansion 3 will receive paid DLC, which will add "new content" to both ScareScraper and ScreamPark modes. However, the company has not yet announced what that content will be or when players can expect it to release.
Luigi's Mansion 3 releases for Switch, fittingly, on October 31. You can check out some gameplay footage from the first eight floors of the game above. We also had a chance to interview producer Kensuke Tanabe at E3 2019 about potential single-player DLC and whether Luigi will ever stop being a coward.
Ahead of Luigi's Mansion 3's release, Tetris 99 is holding a new Maximus Cup event that features an unlockable Luigi's Mansion theme. The cowardly plumber has also finally made his debut in Mario Kart Tour alongside the game's Halloween Tour event, which also introduces King Boo, a Halloween-themed Rosalina, and more.
The Cloud Native Computing Foundation (CNCF), which sustains and integrates open source technologies like Kubernetes and Prometheus, today announced that its End User Community has grown to 100 members. The CNCF End User Community consists of enterprises and startups that are committed to accelerating the adoption of cloud native technologies and improving the deployment experience. (Yahoo!)
For the first time since moving to a subscription based pricing model, Unity Technologies have announced an increase in price for their Plus and Pro subscriptions.
Here are the current subscription costs:
Effective January 1, 2020 prices will rise to $40 a month for Plus and $150 a month for Pro subscriptions.
Effective January 1, 2020 at 12:00 am UTC, the price for Unity Pro subscriptions will be USD $150/month and Unity Plus subscriptions will be USD $40/month. This pricing applies to new subscriptions, additional seats, and renewals of expiring custom agreements. Current seat subscriptions and current custom agreements are unaffected. If you wish to confirm this, please check your email or contact the Customer Service team.
Why are you raising the price of subscriptions?
The price has remained the same for over three years and we are making these increases in order to continue investing in new technology, features and services that will benefit all Unity creators.
Will there still be a free Unity version?
Yes. Unity Personal remains free to creators with revenue or funding (raised or self-funded) below USD $100K in the past year.
Subscriptions purchased before January 1st will remain at the current pricing, so if you are looking to subscribe, now is the time!
As it’s likely there may not be a Friday update this week due to me being away, just thought I’d let you know about one game that’s just dropped onto mobile – Bad North. We were given the heads up about this a couple of weeks ago and I’m glad it’s finally here.
Just in case you’re still not in the know, Bad North is a ‘micro’ real-time strategy game where you control a small group of units that have to defend various islands from waves of Viking invaders. The islands vary in size and topography, and as you progress through the campaign you can get access to more/different units, upgrade your existing ones and even find loot to help you in your fight.
It’s a game that’s mainly about planning and making sure you have the right counters in play, but there’s a permanence to the choices you make. If you sacrifice that one unit to buy yourself some extra seconds, that unit is gone. Damage units take will need time to heal as well. Publisher Raw Fury are celebrating the mobile launch with this new, and slightly bizarre, trailer:
Bad North is available on both iOS Universal and Android for $4.99/£4.59. If you’re wondering what the ‘Jotunn Edition’ tag means, that’s just the name of the free content update they put out on the PC version a couple of months ago which added a bunch of new things for players to enjoy. It’s considered the ‘definitive’ edition of the game, although that’s not to see there won’t be further updates. We’ll have to see.
We’ll be working on a dedicated PT review as soon as we can, but in the meantime you can always read our sister site’s thoughts. I’ve played it myself and I can definitely say it’s good, and the niggles we had a launch have long-since been ironed out. It still might not be everyone’s cup of tea – this is a very simplistic strategy game at the end of the day, but you’re still required to make tough choices, sometimes on the spot. Still, pending our full review it still gets my personal recommendation, for whatever that’s worse.
Let us know if you end up picking up the game, and what you think of it.
Here’s what’s new in this release for ASP.NET Core:
Partial class support for Razor components
Pass parameters to top-level components
Support for shared queues in HttpSysServer
Breaking changes for SameSite cookies
Alongside this .NET Core 3.1 Preview 1 release, we’ve also released a Blazor WebAssembly update, which now requires .NET Core 3.1. To use Blazor WebAssembly you will need to install .NET Core 3.1 Preview 1 as well as the latest preview of Visual Studio.
See the release notes for additional details and known issues.
If you’re on Windows using Visual Studio, for the best experience we recommend installing the latest preview of Visual Studio 2019 16.4. Installing Visual Studio 2019 16.4 will also install .NET Core 3.1 Preview 1, so you don’t need to separately install it. For Blazor development with .NET Core 3.1, Visual Studio 2019 16.4 is required.
To install the latest Blazor WebAssembly template run the following command:
dotnet new -i Microsoft.AspNetCore.Blazor.Templates::3.1.0-preview1.19508.20
Upgrade an existing project
To upgrade an existing ASP.NET Core 3.0 project to 3.1 Preview 1:
Update any projects targeting netcoreapp3.0 to target netcoreapp3.1
Update all Microsoft.AspNetCore.* package references to 3.1.0-preview1.19506.1
That’s it! You should now be all set to use .NET Core 3.1 Preview 1!
Partial class support for Razor components
Razor components are now generated as partial classes. You can author the code for a Razor component using a code-behind file defined as a partial class instead of defining all the code for the component in a single file.
For example, instead of defining the default Counter component with an @code block, like this:
namespace BlazorApp1.Pages
{ public partial class Counter { int currentCount = 0; void IncrementCount() { currentCount++; } }
}
Pass parameters to top-level components
Blazor Server apps can now pass parameters to top-level components during the initial render. Previously you could only pass parameters to a top-level component with RenderMode.Static. With this release, both RenderMode.Server and RenderModel.ServerPrerendered are now supported. Any specified parameter values are serialized as JSON and included in the initial response.
For example, you could prerender a Counter component with a specific current count like this:
@(await Html.RenderComponentAsync<Counter>(RenderMode.ServerPrerendered, new { CurrentCount = 123 }))
Support for shared queues in HttpSysServer
In addition to the existing behavior where HttpSysServer created anonymous request queues, we’ve added to ability to create or attach to an existing named HTTP.sys request queue. This should enable scenarios where the HTTP.Sys controller process that owns the queue is independent to the listener process making it possible to preserve existing connections and enqueued requests between across listener process restarts.
This release updates the behavior of SameSite cookies in ASP.NET Core to conform to the latest standards being enforced by browsers. For details on these changes and their impact on existing apps see https://github.com/aspnet/Announcements/issues/390.
Give feedback
We hope you enjoy the new features in this preview release of ASP.NET Core! Please let us know what you think by filing issues on GitHub.
Nowadays, business networks often use a VPN (virtual private network) for secure communications with workers. However, the protocols used can sometimes make performance slow. If you can reach reach a host on the remote network with SSH, you could set up port forwarding. But this can be painful, especially if you need to work with many hosts on that network. Enter sshuttle — which lets you set up a quick and dirty VPN with just SSH access. Read on for more information on how to use it.
The sshuttle application was designed for exactly the kind of scenario described above. The only requirement on the remote side is that the host must have Python available. This is because sshuttle constructs and runs some Python source code to help transmit data.
Installing sshuttle
The sshuttle application is packaged in the official repositories, so it’s easy to install. Open a terminal and use the following command with sudo:
$ sudo dnf install sshuttle
Once installed, you may find the manual page interesting:
$ man sshuttle
Setting up the VPN
The simplest case is just to forward all traffic to the remote network. This isn’t necessarily a crazy idea, especially if you’re not on a trusted local network like your own home. Use the -r switch with the SSH username and the remote host name:
$ sshuttle -r username@remotehost 0.0.0.0/0
However, you may want to restrict the VPN to specific subnets rather than all network traffic. (A complete discussion of subnets is outside the scope of this article, but you can read more here on Wikipedia.) Let’s say your office internally uses the reserved Class A subnet 10.0.0.0 and the reserved Class B subnet 172.16.0.0. The command above becomes:
This works great for working with hosts on the remote network by IP address. But what if your office is a large network with lots of hosts? Names are probably much more convenient — maybe even required. Never fear, sshuttle can also forward DNS queries to the office with the –dns switch:
To run sshuttle like a daemon, add the -D switch. This also will send log information to the systemd journal via its syslog compatibility.
Depending on the capabilities of your system and the remote system, you can use sshuttle for an IPv6 based VPN. You can also set up configuration files and integrate it with your system startup if desired. If you want to read even more about sshuttle and how it works, check out the official documentation. For a look at the code, head over to the GitHub page.
Posted by: xSicKxBot - 10-23-2019, 09:05 AM - Forum: Lounge
- No Replies
Free Call Of Duty: Modern Warfare PS4 Theme Available Now
We're now just days away from the release of Call of Duty: Modern Warfare, the highly anticipated first-person shooter and soft reboot of the popular Modern Warfare series. If you've already secured your pre-order, pre-loaded the game on PS4, and are counting down the hours until the game officially goes live at 6 PM PT / 9 PM ET on October 24, you'll probably be interested in this nice freebie. A brand-new Call of Duty: Modern Warfare dynamic theme is available to download from the PlayStation Store starting today, and it's completely free.
The "Going Dark" theme is, as the name implies, quite dark, with a mostly black background and quiet, suspenseful music. The icons on the screen look a bit translucent, and the background features the series' signature blue, radar-like waves. You can check it out in the video below.
Two other new PS4 themes are free right now, so you might as well snag all three at the same time. The first is a custom Mortal Kombat 11 theme designed by community artist BossLogic and features two different art designs inspired by the acclaimed fighting game. The second is a gorgeous theme inspired by Destiny Connect: Tick-Tock Travelers, an RPG about a girl named Sherry who must save her town from being frozen in time. This particular theme is available free for a limited time--you have until November 5 to claim it for yourself. Destiny Connect: Tick-Tock Travelers is now available to play, too; it released on PS4 and Nintendo Switch October 22.
There are also quite a few sales going on in the PlayStation Store right now, including its annual Halloween sale on some of the best and spookiest horror games on PS4 and an Ubisoft publisher sale with deals on Rainbow Six Siege, Assassin's Creed Odyssey, and more.