GDPR in .Net Core: .Net Core Security Part VII

.Net Core, .Net Core 2.1, .net Core 2.1 preview 1, .Net Core security, ASP .Net Core, ASP .Net Core 2.0, Asp .Net Core 2.1, asp.netcore2.0, GDPR, GDPR in .Net Core, Security in .Net Core, Visual Studio 2017 3 Minutes

imgonline-com-ua-twotoone-FAw4Z3EWQTfO

We know that GDPR is officially part of a law in Europe from 25th May 2018.

There are some awesome enhancements shipped with .Net Core 2.1, one of them is support for GDPR.

Let us see what are the things added for GDPR in .Net Core 2.1

What is GDPR?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

Let us create a .Net Core 2.1 application.

I would recommend following this post before starting, because you may need to install .Net Core 2.1 if you do not have that already. The post will help you to do that.

Once you have .Net Core 2.1 installed:

Open your Visual Studio 2017 -> Create New Project -> Select Core Web application:

gdpr11

Click on Ok and in next window, select Web Application(MVC) as shown below:

gd2

Make sure you have selected Individual User accounts as authentication. We will add this to check Personal Data feature.

gdpr9

Visual Studio will create a well-structured application for you.

Cookie Policy Configuration

If you open Starup.cs class -> ConfigureService method, you will notice default code for Cookie configuration which is as below:


services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});

and in Configure method, UseCookiePolicy() is added which enables cookie policy capabilities:


app.UseCookiePolicy();

Check Consent

In the ConfigureService method, below code makes sure whether check consent is needed or not:


options.CheckConsentNeeded = context => true;

By providing true, we are allowing the check consent which you can see once you run the application:

gdpr1

This line is nothing but the partial view: ~\Views\Shared\_CookieConsentPartial.cshtml.

This feature allows you to prompt a user to consent to your application creating non-essential cookies.

If you click on Learn More, you will be redirected to the view ~\Views\Home\Privacy.cshtml. Here we can publish the details about the privacy policy of our application:

gdpr2

Accept Policy

If user click on Accept, new cookie would be added:

gdpr10

Essential cookies

If consent has not been accepted by user, only cookies marked essential are sent to the browser. The following code makes a cookie essential:

context.Response.Cookies.Append("Test", "Value", new CookieOptions { IsEssential = true });

TempData

TempData cookies are non-essentials. So if the tracking is not enabled, TempData would not work.

To allow this, we need to make the cookie essential. For this, we need to add below code:

services.Configure<CookieTempDataProviderOptions>(options => { options.Cookie.IsEssential = true; });

Note: Session state cookies are also non-essentials so if tracking is disabled, Session state is not functional.

Your personal data

You can allow users to view and download their personal data from .Net Core application.

If user finds some personal data inappropriate, our .Net Core application should allow user to delete these data as well.

When you run the application, you can see Register\Login pages. Register a user with the details:

gdpr5

Once the user is registered and when you click on the user, along with other data, you can see newly added Personal Data tab:

gdpr6

Here user can download as well as delete the data.

If you download the data, it is in json format and looks like below:

gdpr7

If you choose to delete your data, it would permanently remove all your account related data along with your account:

gdpr8

Update code for Download and Delete

You might be thinking to change this default code. For example allow users to download xml based structure instead of json or adding extra fields like Allow data sharing true or false.

From .Net Core 2.1 on wards, default template uses Identity as UI feature. Which means , No more need of thousands of lines of code and so many files for adding Identity in your .Net Core Application.

Because of this reason, we can not see the code for Download as well as for Delete. But you can override the code by adding Areas/Identity/Pages/Account/Manage folder in your application and under Manage folder – > add  a DownloadPersonalData.cshtml and associated DownloadPersonalData.cshtml.cs classes.

You can have a look at this code for Download and this code for delete more information.

Apart from this, .Net Core also provides capability to add HTTPS for secure connections over TLS. Have a look here for HTTPS related information in .Net Core.

Encryption

Encryption of data is also a key requirement for GDPR.

.Net Core provides capability to encrypt the SQL:

If you know more details than this article regarding GDPR support in .Net Core then please put a comment below.

Hope it helps.

 

Published by Neel

Senior Software Engineer at Coolblue | Tech Blogger | Top 4% Overall on StackOverflow

Published

5 thoughts on “GDPR in .Net Core: .Net Core Security Part VII

  1. Good work Neel. Its a fantastic opening for the dev community as they might not fully aware of the GDPR implications yet, i guess…

    Like

    Reply
  2. Pingback: Interesting Articles Apr-Jul 2018 – ProgBlog

Leave a comment