From e15dd02228c0433900d161b46ca2fc16bd440217 Mon Sep 17 00:00:00 2001 From: Frank Tovar Date: Wed, 28 Jan 2026 20:08:08 +0100 Subject: [PATCH] Honor forwarded proto and scope cookie to base path to prevent new player cookies --- Infrastructure/PlayerIdentityExtensions.cs | 8 ++++++-- Program.cs | 6 ++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Infrastructure/PlayerIdentityExtensions.cs b/Infrastructure/PlayerIdentityExtensions.cs index f0444a7..9f8ca62 100644 --- a/Infrastructure/PlayerIdentityExtensions.cs +++ b/Infrastructure/PlayerIdentityExtensions.cs @@ -10,13 +10,17 @@ public static class PlayerIdentityExtensions { app.Use(async (ctx, next) => { + var pathBase = ctx.Request.PathBase.HasValue ? ctx.Request.PathBase.Value : "/"; + var isHttps = string.Equals(ctx.Request.Scheme, "https", StringComparison.OrdinalIgnoreCase); + var cookieOptions = new CookieOptions { HttpOnly = true, SameSite = SameSiteMode.Strict, - Secure = !app.ApplicationServices.GetRequiredService().IsDevelopment(), + Secure = isHttps, IsEssential = true, - Expires = DateTimeOffset.UtcNow.AddYears(1) + Expires = DateTimeOffset.UtcNow.AddYears(1), + Path = pathBase }; Guid playerId; diff --git a/Program.cs b/Program.cs index 70779fd..846e9e9 100644 --- a/Program.cs +++ b/Program.cs @@ -1,6 +1,7 @@ using GameList.Data; using GameList.Endpoints; using GameList.Infrastructure; +using Microsoft.AspNetCore.HttpOverrides; using Microsoft.Data.Sqlite; using Microsoft.EntityFrameworkCore; using System.Text.Json.Serialization; @@ -38,6 +39,11 @@ builder.Services.ConfigureHttpJsonOptions(options => var app = builder.Build(); +app.UseForwardedHeaders(new ForwardedHeadersOptions +{ + ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost +}); + var basePath = builder.Configuration["BasePath"]; if (!string.IsNullOrWhiteSpace(basePath)) {