On May-25th, General Data Protection Regulation (GDPR) becomes active. With that many articles available on GDPR, I need to write one as well. However, this one is about ASP.NET Core. ASP.NET Core 2.1 includes built-in support to fulfill some GDPR requirements.
The ASP.NET Core 2.1 project template not only includes a privacy page, but also allows registered users to easily delete themselves, and to get all the information stored about the user.
Creating and Running the Project
All you need to do to get this support is to create a new ASP.NET Core 2.1 project and configure authentication to store user accounts in-app.
This creates a project with a privacy page (Views/Home/Privacy.cshtml) which needs to be filled with your content.
After creating the database with EF Core Migrations, the user can register, and after registration manage the account.
Using the Account Management, the user can download and delete all personal data stored.
The database to be used for storing user data is configured with the
ConfigureServices method of the
Startup class. The class
ApplicationDbContext is the EF Core data context. The extension method
AddDefaultIdentity adds authentication services to the service collection, and a default user interface. This extension mehtod returns the
IdentityBuilder that in turn is used to configure the EF Core store invoking
|public void ConfigureServices(IServiceCollection services)|
|// This lambda determines whether user consent for non-essential cookies is needed for a given request.|
|options.CheckConsentNeeded = context => true;|
|options.MinimumSameSitePolicy = SameSiteMode.None;|
The middleware to use is configured in the
Configure method. You can see some interesting methods in this configuration.
UseHstsextension method adds the HTTP Strict Transport Security policy. This protects the website against protocol downgrade attacks and cookie hijacking*.
UseHttpsRedirectionredirects HTTP requests to HTTPS. HTTPS is the new default.
- The method
CookiePolicyMiddlewarehandler to deal with cookies. Remember, users need to agree for cookies.
|public void Configure(IApplicationBuilder app, IHostingEnvironment env)|
Startup class you’ve seen the code configuration to ask the user for the cookie consent. Running the application, the cookie consent question by default is on top, and the user can’t select any menus before agreeing with the cookie:
Of course, the text for the cookie consent needs to be changed. This can be done easily in the file Views/Shared/_CookieConsentPartial.cshtml:
Predefined UI Libraries
A new feature of ASP.NET Core 2.1 is that user interfaces can be defined within a library. For the user identity, with previous ASP.NET Core project templates many views to manage user identities have been created. This is no longer the case. These views are now referenced with a library. The extension method
AddDefaultIdentity also adds the default user interface (
AddDefaultUI). The NuGet package Microsoft.AspNetCore.Identity.UI contains the default UIs. You can get the source code for all the account views at GitHub. The common layout for the identity pages is defined with the _ViewStart.cshtml page in Areas/Identity/Pages – what allows for easy customization.
|Layout = "/Views/Shared/_Layout.cshtml";|
ASP.NET Core 2.1 reduces your source code by adding great features. User interfaces can be included in libraries. For account management, a predefined UI library is available. HTTPS is default. Cookie consent is implemented from the framework, a separate library is not required.
Source code available at Github.