Use request PathBase value to set cookie path only if it has a non-null & non-empty value

2016-11-08 16:50:46 -08:00 · 2016-11-08 16:50:46 -08:00 · 2fcb187d7d
--- a/src/Microsoft.AspNetCore.Antiforgery/AntiforgeryOptions.cs
+++ b/src/Microsoft.AspNetCore.Antiforgery/AntiforgeryOptions.cs
@ -47,8 +47,9 @@ namespace Microsoft.AspNetCore.Antiforgery
        }

        /// <summary>
-        /// The path set on the cookie. If it's <c>null</c>, the "path" attribute on the cookie is set to current
-        /// request's <see cref="HttpRequest.PathBase"/> value.
+        /// The path set on the cookie. If set to <c>null</c>, the "path" attribute on the cookie is set to the current
+        /// request's <see cref="HttpRequest.PathBase"/> value. If the value of <see cref="HttpRequest.PathBase"/> is
+        /// <c>null</c> or empty, then the "path" attribute is set to the value of <see cref="CookieOptions.Path"/>.
        /// </summary>
        public PathString? CookiePath { get; set; }

--- a/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgeryTokenStore.cs
+++ b/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgeryTokenStore.cs
@ -71,7 +71,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal

            var options = new CookieOptions();
            options.HttpOnly = true;
-            options.Path = _options.CookiePath ?? GetPathBase(httpContext);
            options.Domain = _options.CookieDomain;
            // Note: don't use "newCookie.Secure = _options.RequireSSL;" since the default
            // value of newCookie.Secure is populated out of band.
@ -79,18 +78,25 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
            {
                options.Secure = true;
            }
+            SetCookiePath(httpContext, options);

            httpContext.Response.Cookies.Append(_options.CookieName, token, options);
        }

-        private string GetPathBase(HttpContext httpContext)
+        private void SetCookiePath(HttpContext httpContext, CookieOptions cookieOptions)
        {
-            var pathBase = httpContext.Request.PathBase.ToString();
-            if (string.IsNullOrEmpty(pathBase))
+            if (_options.CookiePath != null)
            {
-                pathBase = "/";
+                cookieOptions.Path = _options.CookiePath.ToString();
+            }
+            else
+            {
+                var pathBase = httpContext.Request.PathBase.ToString();
+                if (!string.IsNullOrEmpty(pathBase))
+                {
+                    cookieOptions.Path = pathBase;
+                }
            }
-            return pathBase;
        }
    }
 }