Chrome does not return IdentityServer authentication cookie

Question

I am debugging a problem with a legacy ASPNETCore authentication system that uses IdentityServer4. It seems to be a problem with how Chrome (and Edge) handles a cookie.

When the Login page posts (via HTTPS) the user's credentials, the Login endpoint responds with a 302 redirect to a callback URL on the same server (/connect/authorize/callback). This response contains 3 new cookies:

• .AspNetCore.Identity.Application : path=/; secure; samesite=lax; httponly
• idsrv.session : path=/; secure; samesite=none
• idsrv : expires= Tue, 30 Apr 2024 14:29:35 GMT; path=/; secure; samesite=none; httponly

With Firefox, the browser then sends a request to the callback URL. That request includes all 3 of these cookies, and everything works.

But with Chrome or Edge, the request to the callback URL includes the first two cookies does not include the idsrv cookie, so that request fails and my users are sent back to the Login page.

Why wouldn't Chrome include a cookie that it has just received?

Chrome tell me (via the Network tab) that the idsrv cookie is present in the HTTPS post response, that it is not filtered out, an it has these properties:

• Expires / Max-Age = (15 minutes in the future)
• Size = 902
• HttpOnly = true
• Secure = true
• SameSite = none

But the cookie is not visible on the Application tab, suggesting it is not being stored, correct?

I have tried setting SameSite=Lax on the idsrv cookie, and extending the expiry time, but that has no effect.

Answer 1

Are you using HTTP or HTTPS?

If you ar using HTTP in the browser, then cookies will be lost. I did blog about how to troubleshoot this at https://nestenius.se/2023/10/09/debugging-cookie-problems/

Today you must always use HTTPS with OpenID-Connect.