From 93bc1cd5af034718538d31d884d4be59f1824519 Mon Sep 17 00:00:00 2001
From: sbwalker <shaun.walker@siliqon.com>
Date: Mon, 14 Oct 2024 15:05:46 -0400
Subject: [PATCH] fix #4714 as well as breaking change in #4712

---
 Oqtane.Client/UI/Interop.cs         | 5 +++++
 Oqtane.Maui/wwwroot/js/interop.js   | 8 ++++----
 Oqtane.Server/Components/App.razor  | 2 +-
 Oqtane.Server/wwwroot/js/interop.js | 8 ++++----
 4 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/Oqtane.Client/UI/Interop.cs b/Oqtane.Client/UI/Interop.cs
index d3d1841f2..c5964c962 100644
--- a/Oqtane.Client/UI/Interop.cs
+++ b/Oqtane.Client/UI/Interop.cs
@@ -16,6 +16,11 @@ public Interop(IJSRuntime jsRuntime)
             _jsRuntime = jsRuntime;
         }
 
+        public async Task SetCookie(string name, string value, int days)
+        {
+            await SetCookie(name, value, days, true, "Lax");
+        }
+
         public Task SetCookie(string name, string value, int days, bool secure, string sameSite)
         {
             try
diff --git a/Oqtane.Maui/wwwroot/js/interop.js b/Oqtane.Maui/wwwroot/js/interop.js
index 9a11b7e68..ef6043f90 100644
--- a/Oqtane.Maui/wwwroot/js/interop.js
+++ b/Oqtane.Maui/wwwroot/js/interop.js
@@ -6,11 +6,11 @@ Oqtane.Interop = {
         d.setTime(d.getTime() + (days * 24 * 60 * 60 * 1000));
         var expires = "expires=" + d.toUTCString();
         var cookieString = name + "=" + value + ";" + expires + ";path=/";
-        if (sameSite === "Lax" || sameSite === "Strict" || sameSite === "None") {
-            cookieString += `; SameSite=${sameSite}`;
-        }
         if (secure) {
-            cookieString += "; Secure";
+            cookieString += "; secure";
+        }
+        if (sameSite === "Lax" || sameSite === "Strict" || sameSite === "None") {
+            cookieString += "; SameSite=" + sameSite;
         }
         document.cookie = cookieString;
     },
diff --git a/Oqtane.Server/Components/App.razor b/Oqtane.Server/Components/App.razor
index 658ecfce9..76ef58f0d 100644
--- a/Oqtane.Server/Components/App.razor
+++ b/Oqtane.Server/Components/App.razor
@@ -609,7 +609,7 @@
             Expires = DateTimeOffset.UtcNow.AddYears(1),
             SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute
             Secure = true, // Ensure the cookie is only sent over HTTPS
-            HttpOnly = true // Optional: Helps mitigate XSS attacks
+            HttpOnly = false // cookie is updated using JS Interop
         };
 
         Context.Response.Cookies.Append(
diff --git a/Oqtane.Server/wwwroot/js/interop.js b/Oqtane.Server/wwwroot/js/interop.js
index 9a11b7e68..ef6043f90 100644
--- a/Oqtane.Server/wwwroot/js/interop.js
+++ b/Oqtane.Server/wwwroot/js/interop.js
@@ -6,11 +6,11 @@ Oqtane.Interop = {
         d.setTime(d.getTime() + (days * 24 * 60 * 60 * 1000));
         var expires = "expires=" + d.toUTCString();
         var cookieString = name + "=" + value + ";" + expires + ";path=/";
-        if (sameSite === "Lax" || sameSite === "Strict" || sameSite === "None") {
-            cookieString += `; SameSite=${sameSite}`;
-        }
         if (secure) {
-            cookieString += "; Secure";
+            cookieString += "; secure";
+        }
+        if (sameSite === "Lax" || sameSite === "Strict" || sameSite === "None") {
+            cookieString += "; SameSite=" + sameSite;
         }
         document.cookie = cookieString;
     },