CODEWITHSUNDEEP
c#restasp.net-corecookies
toffik325
toffik325

Reputation: 331

ASP.Net Cookies not being saved to the browser

I simply want to save cookies containing security tokens, but they are not persisted in the browser. Here is my AuthController method for saving the cookie (simplified):

[AllowAnonymous]
[HttpPost("authorize")]
[ProducesResponseType((int)HttpStatusCode.OK)]
public async Task<IActionResult> AuthorizeAsync()
{
    //generating access token ommited for brevity
    SetTokenCookie(accessToken);
    return Ok(userIdentity);
}

And SetTokenCookie method:

private void SetTokenCookie(string accessToken)
    {
        var options = _jwtOptions.AccessToken;
        var cookieOptions = new CookieOptions()
        {
            HttpOnly = true,
            IsEssential = true,
            Secure = false,
            SameSite = SameSiteMode.Strict,
            Domain = options.Issuer, //http://localhost:3394 by default
            Expires = DateTime.UtcNow.AddDays(14)
        };

        Response.Cookies.Append(options.Name, accessToken, cookieOptions);
    }

Now when I analyze the response from my Api, I see that Set-Cookie header and token itself are fine: Response headers Decoded token:

{
  "id": "70132f61-4d83-4772-9685-7a77a9204685",
  "name": "admin",
  "email": "[email protected]",
  "role": "Administrator",
  "persist": "True",
  "nbf": 1646336045,
  "exp": 1646336945,
  "iat": 1646336045,
  "iss": "http://localhost:3394",
  "aud": [
    "blog.webgateway",
    "blog.blogging",
    "blog.comments",
    "blog.users"
  ]
}

But when I check the cookies, nothing is saved.

I know that there are many topics related to this issue, but I already ran out of ideas I could find online:

  1. I wiped storage in my browser for localhost
  2. I added custom entry in my hosts file and changed cookie domain accordingly
  3. I tried setting cookie domain = null or different path
  4. I added Cors and allowed credentials, any methods, any headers, any origin
  5. I tried more permissive settings in my browser
  6. I tried changing cookie options (HttpOnly, Secure, SameSite)
  7. I removed UseHttpsRedirection() from my Startup.cs and made sure I connet via HTTP

Nothing seems to work. I'm using Firefox 97.0.1. Do you know what else I could try?

Upvotes: 9

Views: 16381

Answers (3)

SSchmid
SSchmid

Reputation: 441

I managed to get it running by using the [FromBody] Attribute. This works for me :

    [HttpPost("Login")]
    public async Task<IActionResult> Login([FromBody] LoginData data)
    {

        var user = await userManager.FindByEmailAsync(data.Email);
        if (user == null || !await userManager.CheckPasswordAsync(user, data.Password))
            return Unauthorized("Invalid Authentication");

        await signInManager.SignInAsync(user, data.rememberMe);
        var roles = (await userManager.GetRolesAsync(user)).ToList();
        var sUser = new Models.User(user, roles);
        return Ok(sUser);
    }

apparently if u use HTTPPOST in combination with parameters it doesnt work.

Upvotes: 1

toffik325
toffik325

Reputation: 331

I've finally managed to solve the issue... Here are the steps I've made:

  1. Changed the controller method to HttpGet, so it just looks like this now:
[AllowAnonymous]
[HttpGet("authorize")] // <-- notice the difference
[ProducesResponseType((int)HttpStatusCode.OK)]
public async Task<IActionResult> AuthorizeAsync()
{
    //generating access token ommited for brevity
    SetTokenCookie(accessToken);
    return Ok(userIdentity);
}

For some reason calling a Post request directly from the browser (Firefox at least in my case) doesn't seem to work for setting the cookies, even if the response looks fine, but when I changed it to Get method and accessed in a standard way (URL) it works. I will have to double-check if Post method works from the client (JavaScript).

  1. Apply above solution from Tiny Wang, which means changing the cookie domain to localhost. Having the full URL indeed prevent cookie from being saved.

Edit: As pointed out by SSchmid in the comments, changing method to "Get" was only a temporary workaround while using Development Tools in Firefox. For further development or production it is not recommend to keep it as a "Get" method.

Upvotes: 1

Tiny Wang
Tiny Wang

Reputation: 15906

Did you try to change the Domain to localhost?

Per my test, using `` didn't work for me, and then I found that other cookies showed they belong to domain localhost, so I use localhost instead, then I can see the newly created cookie. I test to call the api by tools in chrome, so I think it should be similar to your scenario.

public string saveCookie() {
    var cookieOptions = new CookieOptions()
    {
        HttpOnly = true,
        IsEssential = true,
        Secure = false,
        SameSite = SameSiteMode.Strict,
        Domain = "localhost", //using https://localhost:44340/ here doesn't work
        Expires = DateTime.UtcNow.AddDays(14)
    };

    Response.Cookies.Append("testCookie", "Cookie content", cookieOptions);
    return "hello world";
}

enter image description here

Upvotes: 5

Related Questions