Cookies are incorrectly coppied as HttpOnly and Secure

[AndreiZe]

CookieParser.Parse() instantiates cookie like this:

HttpCookie cookie = new HttpCookie(nameAndValue.Key, nameAndValue.Value)
{
// Path defaults to /, want to be able to roundtrip non-existing field.
Path = null
};

This creates cookie with HttpOnly and Secure properties set to "true" by default. As a result duplicate cookies will be added to response with incorrectly set HttpOnly and Secure properties if they were not present in first place.

[AndreiZe]

More details on this. The aforementioned issue will happen when asp.net app has web.config with the following entry:
httpCookies requireSSL="true" httpOnlyCookies="true"

It seems that HttpCookie constructor behavior depends on this config setting so the proper fix is to always explicitly set HttpOnly and Secure properties

[AndersAbel]

When I first created this middleware, there was no support in the .NET Framework for the httponly and secure flags. Guess it's time to add those. And to update the package name to Sustainsys.OwinCookieSaver.

[AbbasKhalili]

I use this code, but does not actually solve my problem.
Is there anything wrong?

app.UseKentorOwinCookieSaver();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
CookieHttpOnly = true,
CookieSecure = true,
CookieName = "jjbitshow",
CookieManager = new SystemWebCookieManager(),//SystemWebChunkingCookieManager(),
ExpireTimeSpan = TimeSpan.FromHours(2)
});