LanguageSwitcher does not switch language (Interactive Server / Interactive Webassembly) because of httpOnly culture cookie.

[maurocavallin]

Problem: Language Switcher Not Working

When I select a different language from the dropdown in the Language Switcher, nothing happens.
It happens in Interactive/Server and in Interactive/WebAssembly

The code behind is correctly calling SetCultureAsync:

// Oqtane.Client\Themes\Controls\Theme\LanguageSwitcher.razor
private async Task SetCultureAsync(string culture)
{
    if (culture != CultureInfo.CurrentUICulture.Name)
    {
        var localizationCookieValue = CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture));
        var interop = new Interop(JSRuntime);
        await interop.SetCookie(CookieRequestCultureProvider.DefaultCookieName, localizationCookieValue, 360);
        NavigationManager.NavigateTo(NavigationManager.Uri, forceLoad: true);
    }
}

also the javasript code is ok:

 // Oqtane.Server\wwwroot\js\interop.js
 setCookie: function (name, value, days) {
     var d = new Date();
     d.setTime(d.getTime() + (days * 24 * 60 * 60 * 1000));
     var expires = "expires=" + d.toUTCString();
     document.cookie = name + "=" + value + ";" + expires + ";path=/";
 },

The problem I found is that document.cookie is not writable because the language cookie '.AspNetCore.Culture' is an httpOnly cookie: it's not accessible (nor writeable) by javascript.

My workaround for now is to set to false the cookie HttpOnly property:

// Oqtane.Server\Components\App.razor
private void SetLocalizationCookie(string culture)
{
    var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions
    {
        Expires = DateTimeOffset.UtcNow.AddYears(1),
        SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute
        Secure = true, // Ensure the cookie is only sent over HTTPS
        HttpOnly = false // Optional: Helps mitigate XSS attacks    <----- I CHANGED THIS to false
    };

    Context.Response.Cookies.Append(
        CookieRequestCultureProvider.DefaultCookieName,
        CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture)),
        cookieOptions
    );

[sbwalker]

@thabaum this seems to be a regression error caused by the recent PR related to cookies.

#4493

[hishamco]

This option changes the cookie settings to be used with HTTP only. AFAIK everything works fine

[hishamco]

@thabaum this seems to be a regression error caused by the recent PR related to cookies.

@sbwalker could you refer me to the PR, so I can fix the issue

[thabaum]

@maurocavallin This is the only place I see the language actually change, and it works the same no matter how I change the httpOnly setting. This is in Visual Studio.

How do I reproduce what you are experiencing. My apologies as I do not work with the language packs in Oqtane. I still would love to reproduce the issue.

[thabaum]

Also if you could please report it as an issue with steps to reproduce that would be a great help! If not and dont have time would rather continue this discussion here that is fine as well as I will try to work on replicating the issue as soon as I fully understand how to. If you do decide to create an actual issue we can track for the project you can also reference this discussion for additional information. Thank you.

[thabaum]

The issue I believe is it needs to reload to see the change. Please verify because I think that when changing the setting it stays the same, until you refresh manually. So this would be a different issue.

Oqtane.Client\Themes\Controls\Theme\LanguageSwitcher.razor page reload/refresh on change does not appear to be happening to refresh the UI is the issue I am experiencing.

[maurocavallin]

Hi @thabaum sorry for the delay.

Just the last hint (before submitting a issue, and not waste more of your time :-) ):

I'm running from VisualStudio and IIS Express. Latest dev branch.

I experience my issue in two cases:
Render Mode: Interactive Interactivity: Server
Render Mode: Interactive Interactivity: Webassembly

With Render Mode: Static I have no problems.

Before the test, to start from clean, I suggest those operations in sequence:

• change the interactivity mode (i.e.: Render Mode: Interactive Interactivity: Server)
• wipe the ".AspNetCore.Culture" coockie from browser
• restart the application

[thabaum]

@maurocavallin thank you for the clarification. I was able to reproduce this issue with interactive mode and you are correct that setting this httpOnly cookie option to false resolves.

Why does it work in static and not interactive? Due to SignalR? I put a PR up recently working in this area and javascript I know I need to go back through and rethink as it was just to show enhancing the SameSite of cookies created via JS interop. My bad testing via static and not interactive as I know a lot use interactive still.

Since it works in static we should possibly check which render mode Oqtane is running and set this cookie option to true for static and false for interactive render modes if we cannot get it to work properly set to true.

I have tested this on production and same results. Works OK in static but need to refresh to see the UI update which is another issue. Interactive mode there is an issue with this cookie.

I will try testing some stuff tomorrow to see if we can get this to work in interactive mode. Bottom line currently is Static mode works, interactive does not.

It would be most secure to have it set to true, but since it does not work in interactive mode currently we may need to set to false for this mode, but I would still like to keep it set to true for static if we can. It would limit phishing and social engineering attacks from my understanding.

The visitor tracking cookie would also need to be reviewed I would think as well.

[thabaum]

@sbwalker #4714 This issue has been resolved setting HttpOnly=false for all modes, however I added a comment relating in the PR for static mode since it did not have an issue maybe HttpOnly would be best to have set to true for this case?

[thabaum]

#4730 is an example of what I was thinking for a fix.

But I also want to point out line 435 with the visitor cookie in the app.razor file. Is this working ok in interactive mode?

[sbwalker]

The visitor cookie is never accessed from razor components - it only exists server-side

[thabaum]

I have updated #4730 and seems to work OK, however it should be tested further with multiple tenants in different modes.

[sbwalker]

If a cookie has HttpOnly disabled it does not mean your site is vulnerable to attack. HttpOnly is only an extra layer of defense (for those browsers that actually support it). XSS requires an initial attack vector - the injection of executable JavaScript into a page. If your site allows a malicious user to inject JavaScript then they could include a script which can read the value of cookies. HttpOnly prevents scripts from reading cookie values. So it's useful as an additional safeguard for authentication cookies or cookies which store other confidential information. But if your site allows malicious scripts to be injected then you obviously have much bigger problems to worry about than just cookies.