SameSite attribute support for ResponseCookieCollection

[Gradi]

I have added a way to set SameSite attribute value for Set-Cookie headers.
You can do so by setting CookieOptions.SameSite property to some non null value.
If CookieOptions.SameSite property is null then SameSite attribute will not be added at all.

I must point out that if you use SameSiteMode.None it will be set as SameSite=None.

You can read about that behavior here and here

[dnfclas]

All CLA requirements met.

[Gradi]

Also it may solve #201 issue

[Tratcher]

SameSite=None is still an early draft and breaks Safari. We can't merge that specific behavior until that gets worked out.
dotnet/aspnetcore#12125 (comment)

[Tratcher]

There are many other places that need to be updated, such as exposing this option for several auth components that emit cookies. SameSite breaks OAuth and OIDC so they need to disable it. Null is OK for them only until the implied default becomes Lax.
https://github.com/aspnet/AspNetKatana/search?q=CookieOptions&unscoped_q=CookieOptions

AspNetKatana/src/Microsoft.Owin/Infrastructure/ChunkingCookieManager.cs

Line 143 in 40de801

string suffix = string.Concat(

AspNetKatana/src/Microsoft.Owin.Host.SystemWeb/SystemWebCookieManager.cs

Lines 86 to 90 in 40de801

	var cookie = new HttpCookie(escapedKey, Uri.EscapeDataString(value));
	if (domainHasValue)
	{
	cookie.Domain = options.Domain;
	}

AspNetKatana/src/Microsoft.Owin.Host.SystemWeb/SystemWebChunkingCookieManager.cs

Line 170 in 40de801

string suffix = string.Concat(

AspNetKatana/src/Microsoft.Owin.Security.Cookies/CookieAuthenticationOptions.cs

Line 54 in 40de801

public string CookieDomain { get; set; }

AspNetKatana/src/Microsoft.Owin.Security/Infrastructure/AuthenticationHandler.cs

Lines 216 to 220 in 40de801

	var cookieOptions = new CookieOptions
	{
	HttpOnly = true,
	Secure = Request.IsSecure
	};

AspNetKatana/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs

Lines 467 to 472 in 40de801

	new CookieOptions
	{
	HttpOnly = true,
	Secure = Request.IsSecure,
	Expires = DateTime.UtcNow + Options.ProtocolValidator.NonceLifetime
	});

[Gradi]

Hm. System.Web already contains SameSiteMode enum, but it is not available in Microsoft.Owin project.

SameSite breaks OAuth and OIDC so they need to disable it. Null is OK for them only until the implied default becomes Lax.

I'm sorry. I don't quite get what is wrong. If you set to null(or just do nothing) then SameSite would not be included at all as it does right now. Default behavior with default options is not broken.

[Tratcher]

System.Web.SameSiteMode was added in 4.7.2. Microsoft.Owin targets 4.5.0. We'd probably have to cross compile Microsoft.Owin.Host.SystemWeb to support that.
https://docs.microsoft.com/en-us/dotnet/api/system.web.samesitemode?view=netframework-4.7.2#applies-to

The new SameSite behavior defined in https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 is that Lax becomes the default and you have to specify None to opt out. That default would break OAuth and OIDC unless they opt out, and they can't opt out without breaking Safari.

[Tratcher]

I'm going to merge this as is and keep iterating. Thanks for getting it started for us.