Reputation: 103
Set cookie not over HTTPS in ASP.NET Core
I have two microservices. One is for identity. I am trying to set auth cookie and I have this middleware:
app.UseCookiePolicy(new CookiePolicyOptions
{
MinimumSameSitePolicy = SameSiteMode.None,
Secure = CookieSecurePolicy.None,
HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None
});
And also this service:
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.Cookie.HttpOnly = true;
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.None;
options.Cookie.IsEssential = true;
});
And also browser throws this warning:
So I want to know if it is possible to set cookie not over HTTPS.
Upvotes: 1
Views: 2345
Answers (1)
Reputation: 19971
You need to set the cookie over Https, otherwise it will not work.
This is because the Samesite cookie functionality requires that it is done over HTTPs when the cookies reaches the browser.
see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
That says:
Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).
To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging cookie problems
Upvotes: 3
Related Questions
- AspNet Core Identity, how set options.Cookie.SameSite?
- Set Single Sign on cookie
- Setting SameSite=None and Secure in ASP.NET
- How to set SameSite cookie attribute to explicit None ASP NET Core
- Avoid session cookies in Asp.NET Core 2.2 + IdentityServer
- Secure cookies Asp.Net Core
- .netcore Session Secure cookie
- How to set a Auth cookie in asp.net 5
- ASP.NET Securing Cookie on HTTP and HTTPS
- ASP.NET Cookie not set when using https