ASP Net Core Web API doesn't recognize session data

Question

I'm currently working on a project which consist of a simple frontend (as one HTML page) and a ASP.NET Core backend (Web-API). I'm currently working on the register/login process. The login method is triggered by a GET-request, the register method by a POST-request. The register method is setting four values for the session cookie, let's call them valA,valB,valC and valD. Afterwards, the login method is used to get the corresponding values. So far, I've tried the following solutions to get this working:

• Modify CookiePolicyOptions to bypass the ConsentCheck as well as setting the SameSitePolicy to "None"
• Applied said CookiePolicy
• Checked the user controller for errors - so far there aren't any errors

UPDATE

There were several factors which were leading up to the previously mentioned scenario. First of all, like the marked answer suggested, the cookie was sent to the client, but not back. There we're several reasons for this problem. The first problem was the fact that my javascript code of the HTML was sending a login request. This can be fixed by adding the following code on the client side and setting the following function as an OnClickHandler of the Login button:

function PostLoginRequest()
{
    fetch(someUrl,{
        /*
        * The credentials header enables the sending
        * process of the response cookie, while the
        * sameSite header is used to enable the cookie
        * sent accross the original domain (in this case, the HTML file)
        */
        "credentials":"include",
        "sameSite":"None"
    });
}

Furthermore, you have to adjust the content of the ConfigureServices method of the Startup.cs file. In this case, you will have add these new lines:

// Configure a cookie policy which will be enforced by the Web API
services.Configure<CookiePolicyOptions>(options=>{
    options.CheckConsentNeeded = context => false;
    options.MinimumSameSitePolicy = SameSiteMode.None;
    options.Secure = CookieSecurePolicy.Always;
});
// Add a storage for the session cookies, in this case a DMC
services.AddDistributedMemoryCache();
// Configure the session cookie
services.AddSession(options=>{
    // Set the name of the session cookie
    options.Cookie.Name = ".App.Session";
    // How long should the cookie be stored? (in this case 1 day from now)
    options.IdleTimeOut = TimeSpan.FromDays(1);
    // Can we bypass the consent check? (in this case : yes)
    options.Cookie.IsEssential = true;
    // Prevent the cookie to be accesible via Javascript
    options.Cookie.HttpOnly = true;
    // Allow the cookie to be sent to other domains
    options.Cookie.SameSite = SameSiteMode.None;
    // Sets the path of the cookie. This means on which segment of
    // the domain it will be accessible. In this case, the whole domain
    // is covered by the cookie
    options.Cookie.Path = "/";
});

Last, but not least, the Startup.cs should contain the function call app.UseSession() and app.UseCookiePolicy(). While the first call enables the ASP.NET Core server to send a session cookie, if some value was stored inside of it, the second one applies the cookie policy we have previously defined. And this should be everything so far. Sorry for the lengthy update, but I hope that my solution description can help other people who face the same issues as me.

Answer 1

Your HTML page required to resend the cookies, if it's not sending ASP.Net web api cannot receive any values. Here your Asp.Net web api is just an api, it has no control on your html pages. How are you making api call from HTML page?