On May-25th, General Data Protection Regulation (GDPR) becomes active. With that many articles available on GDPR, I need to write one as well. However, this one is about ASP.NET Core. ASP.NET Core 2.1 includes built-in support to fulfill some GDPR requirements.
The ASP.NET Core 2.1 project template not only includes a privacy page, but also allows registered users to easily delete themselves, and to get all the information stored about the user.
Creating and Running the Project
All you need to do to get this support is to create a new ASP.NET Core 2.1 project and configure authentication to store user accounts in-app.
This creates a project with a privacy page (Views/Home/Privacy.cshtml) which needs to be filled with your content.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @{ | |
| ViewData["Title"] = "Privacy Policy"; | |
| } | |
| <h2>@ViewData["Title"]</h2> | |
| <p>Use this page to detail your site's privacy policy.</p> |
After creating the database with EF Core Migrations, the user can register, and after registration manage the account.
Using the Account Management, the user can download and delete all personal data stored.
The database to be used for storing user data is configured with the ConfigureServices method of the Startup class. The class ApplicationDbContext is the EF Core data context. The extension method AddDefaultIdentity adds authentication services to the service collection, and a default user interface. This extension mehtod returns the IdentityBuilder that in turn is used to configure the EF Core store invoking AddEntityFrameworkStores.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public void ConfigureServices(IServiceCollection services) | |
| { | |
| services.Configure<CookiePolicyOptions>(options => | |
| { | |
| // This lambda determines whether user consent for non-essential cookies is needed for a given request. | |
| options.CheckConsentNeeded = context => true; | |
| options.MinimumSameSitePolicy = SameSiteMode.None; | |
| }); | |
| services.AddDbContext<ApplicationDbContext>(options => | |
| options.UseSqlServer( | |
| Configuration.GetConnectionString("DefaultConnection"))); | |
| services.AddDefaultIdentity<IdentityUser>() | |
| .AddEntityFrameworkStores<ApplicationDbContext>(); | |
| services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1); | |
| } |
The middleware to use is configured in the Configure method. You can see some interesting methods in this configuration.
- The
UseHstsextension method adds the HTTP Strict Transport Security policy. This protects the website against protocol downgrade attacks and cookie hijacking*. UseHttpsRedirectionredirects HTTP requests to HTTPS. HTTPS is the new default.- The method
UseCookiePolicyadds theCookiePolicyMiddlewarehandler to deal with cookies. Remember, users need to agree for cookies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public void Configure(IApplicationBuilder app, IHostingEnvironment env) | |
| { | |
| if (env.IsDevelopment()) | |
| { | |
| app.UseDeveloperExceptionPage(); | |
| app.UseDatabaseErrorPage(); | |
| } | |
| else | |
| { | |
| app.UseExceptionHandler("/Home/Error"); | |
| app.UseHsts(); | |
| } | |
| app.UseHttpsRedirection(); | |
| app.UseStaticFiles(); | |
| app.UseCookiePolicy(); | |
| app.UseAuthentication(); | |
| app.UseMvc(routes => | |
| { | |
| routes.MapRoute( | |
| name: "default", | |
| template: "{controller=Home}/{action=Index}/{id?}"); | |
| }); | |
| } |
Cookie Consent
In the Startup class you’ve seen the code configuration to ask the user for the cookie consent. Running the application, the cookie consent question by default is on top, and the user can’t select any menus before agreeing with the cookie:
Of course, the text for the cookie consent needs to be changed. This can be done easily in the file Views/Shared/_CookieConsentPartial.cshtml:
Predefined UI Libraries
A new feature of ASP.NET Core 2.1 is that user interfaces can be defined within a library. For the user identity, with previous ASP.NET Core project templates many views to manage user identities have been created. This is no longer the case. These views are now referenced with a library. The extension method AddDefaultIdentity also adds the default user interface (AddDefaultUI). The NuGet package Microsoft.AspNetCore.Identity.UI contains the default UIs. You can get the source code for all the account views at GitHub. The common layout for the identity pages is defined with the _ViewStart.cshtml page in Areas/Identity/Pages – what allows for easy customization.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @{ | |
| Layout = "/Views/Shared/_Layout.cshtml"; | |
| } |
Summary
ASP.NET Core 2.1 reduces your source code by adding great features. User interfaces can be included in libraries. For account management, a predefined UI library is available. HTTPS is default. Cookie consent is implemented from the framework, a separate library is not required.
Just the main work – the definition of the text for the cookie consent and the privacy policy is still needed. However, probably you can outsource this work, or adapt various text templates available.
Source code available at Github.
More information on ASP.NET Core 2 in my book Professional C# 7 and .NET Core 2.0 and with my trainings
Enjoy coding!
Christian
csharp.christiannagel.com 
How I already hate those annoying cookie questions pop of on almost every website I visit nowadays! Before checking out the other day in a webshop I checked eight(!) checkboxes, that I have read and consent their 1.General Terms, 2.Return procedures 3.Lithium battery handling rules 4.Being of 18+ age, 6.Packaging material dispose rules 7.Product safety info 8.Data handling rules (just the old one, not yet GDPR).
I already began looking for a browser plug-in that would check every bullshit for me automatically. I do not read those 700-pages blurb anyway, but the webshop would not let me not checking all those. Does this really make sense?
Now cometh this GDPR thing to the play, I can imagine, another 5-10 years of ‘smart’ legislation in this direction, and we will be required to read, checkbox, fill-out and sign 37 popping up consent windows before we can lookup the weather or the simplest things on any website. Add another 50 years of legislative progress, and will there be 587 questions and checkboxes? Ridiculous.
Why I am not required to sign anything before I enter a physical shop and buy something with my credit card. My card data is the most personal info I can imagine, my face, my each step is recorded on their video surveillance. A simple warning is enough on their entrance, just by entering and buying I am giving my consent.
Sorry for the offtopic ranting here. I am just asking you, developers to keep the annoying checkboxes as low count and low profile as it is minimally necessary by the law.
I understand you can’t change this silly law, but please do not overobey it. I see already websites looking* 10x more GDPR-compliant than required by asking twelve GDPR questions, checkboxes, etc. rendering the whole thing internet is about (free, unrestricted, quick browsing for any info) into an annoying experience.
*by ‘looking’ I mean much of the GDPR requirements are infeasible today
LikeLiked by 1 person
Reblogged this on Razin's Tech blog.
LikeLike