How to configure httponly and secure flag in .net core 2.0?

Question

There is no error But I am unable to configuration httponly status in browser. Can you check my code please.

public void ConfigureServices(IServiceCollection services)
    {
        services.AddDistributedMemoryCache();
        services.AddMvc();
        services.AddSession(options =>
        {
            // Set a short timeout for easy testing.
            options.IdleTimeout = TimeSpan.FromMinutes(20);
            options.Cookie.HttpOnly = true;
            options.Cookie.SameSite = SameSiteMode.Strict;
            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
          });
      }
 public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
       app.UseSession();
        app.UseStaticFiles();

        app.UseCookiePolicy(new CookiePolicyOptions
        {
            HttpOnly = HttpOnlyPolicy.Always,
            Secure =CookieSecurePolicy.Always,
            MinimumSameSitePolicy=SameSiteMode.None
        });
      }

Answer 1

According to the documentation you can configure HttpOnly via IApplicationBuilder.UseCookiePolicy():

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    /*..*/
    app.UseStaticFiles();
    app.UseSession();
    app.UseCookiePolicy(new CookiePolicyOptions
    {
        HttpOnly = HttpOnlyPolicy.Always
    });
}

Answer 2

In ASP.NET Core 2.X you can use the following code:

public void ConfigureServices(IServiceCollection services)
{
     // This can be removed after https://github.com/aspnet/IISIntegration/issues/371
     services.AddAuthentication(
        options =>
        {
             //Blah Blah Blah
         }).AddCookie(opts =>
         {
              opts.Cookie.HttpOnly = false;
          });
 }

 public void Configure(IApplicationBuilder app)
 {
     app.UseAuthentication();
 }

Note that this changed from ASP.NET Core 1.X