From 01658a4c76a3cba52aab720ca12f0dc3279f371d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Sat, 4 Jul 2026 08:47:53 +0200 Subject: [PATCH] Reuse the CookieOptions instance instead of creating one for each operation --- .../OpenIddictClientAspNetCoreHandlers.cs | 4 ++-- .../OpenIddictClientOwinHandlers.cs | 20 ++++--------------- 2 files changed, 6 insertions(+), 18 deletions(-) diff --git a/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.cs b/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.cs index 3adc5ca60..5e43277f6 100644 --- a/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.cs +++ b/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.cs @@ -446,7 +446,7 @@ static bool TryGetRequestForgeryProtection(ReadOnlySpan input, [NotNullWhe { // Extract the payload and validate the version marker. var payload = Base64Url.DecodeFromChars(input); - if (payload.Length < (1 + sizeof(uint)) || payload[0] is not 0x01) + if (payload.Length is < (1 + sizeof(uint)) || payload[0] is not 0x01) { output = null; return false; @@ -454,7 +454,7 @@ static bool TryGetRequestForgeryProtection(ReadOnlySpan input, [NotNullWhe // Extract the length of the request forgery protection. var length = (int) BinaryPrimitives.ReadUInt32BigEndian(payload.AsSpan(1, sizeof(uint))); - if (length is 0 || length != (payload.Length - (1 + sizeof(uint)))) + if (length != (payload.Length - (1 + sizeof(uint)))) { output = null; return false; diff --git a/src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.cs b/src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.cs index a29c0c0b3..8e472d5d1 100644 --- a/src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.cs +++ b/src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.cs @@ -402,11 +402,6 @@ public ValueTask HandleAsync(ProcessAuthenticationContext context) throw new InvalidOperationException(SR.GetResourceString(SR.ID0354)); } - // Resolve the cookie manager and the cookie options from the OWIN integration options. - var (manager, options) = ( - _options.CurrentValue.CookieManager, - _options.CurrentValue.CookieOptions); - // Compute the name of the cookie name based on the prefix and the random nonce. var name = new StringBuilder(_options.CurrentValue.CookieName) .Append(Separators.Dot) @@ -419,7 +414,7 @@ public ValueTask HandleAsync(ProcessAuthenticationContext context) // // In any case, the authentication demand MUST be rejected as it's impossible to ensure // it's not an injection or session fixation attack without the correlation cookie. - var value = manager.GetRequestCookie(request.Context, name); + var value = _options.CurrentValue.CookieManager.GetRequestCookie(request.Context, name); if (string.IsNullOrEmpty(value)) { context.Reject( @@ -447,14 +442,7 @@ public ValueTask HandleAsync(ProcessAuthenticationContext context) // Return a response header asking the browser to delete the state cookie. // // Note: when deleting a cookie, the same options used when creating it MUST be specified. - manager.DeleteCookie(request.Context, name, new CookieOptions - { - Domain = options.Domain, - HttpOnly = options.HttpOnly, - Path = options.Path, - SameSite = options.SameSite, - Secure = options.Secure - }); + _options.CurrentValue.CookieManager.DeleteCookie(request.Context, name, _options.CurrentValue.CookieOptions); return ValueTask.CompletedTask; @@ -464,7 +452,7 @@ static bool TryGetRequestForgeryProtection(ReadOnlySpan input, [NotNullWhe { // Extract the payload and validate the version marker. var payload = Base64Url.DecodeFromChars(input); - if (payload.Length < (1 + sizeof(uint)) || payload[0] is not 0x01) + if (payload.Length is < (1 + sizeof(uint)) || payload[0] is not 0x01) { output = null; return false; @@ -472,7 +460,7 @@ static bool TryGetRequestForgeryProtection(ReadOnlySpan input, [NotNullWhe // Extract the length of the request forgery protection. var length = (int) BinaryPrimitives.ReadUInt32BigEndian(payload.AsSpan(1, sizeof(uint))); - if (length is 0 || length != (payload.Length - (1 + sizeof(uint)))) + if (length != (payload.Length - (1 + sizeof(uint)))) { output = null; return false;