Reputation: 1
Cookies Not Set After Microsoft Login Redirection in Production Environment ( ASP.NET)
I’m facing an issue where cookies are not being set properly after a Microsoft login redirection in my web application. The login flow works fine locally in an HTTPS environment, but in production, the cookies appear to disappear after the backend redirects to the frontend.
Here’s an overview of the issue:
The backend redirects the user to the PostLoginRedirect action after login. In this action, I set a test cookie for debugging purposes:
[HttpGet("post-login-redirect")]
public IActionResult PostLoginRedirect()
{
Response.Cookies.Append("TestCookie", "TestValue", new CookieOptions
{
SameSite = SameSiteMode.None, // Required for cross-origin
Secure = true, // Enforce HTTPS
HttpOnly = true, // For security
Path = "/",
Expires = DateTime.UtcNow.AddMinutes(30)
});
return Redirect("https://my-website/home");
}
If I return a simple Ok() response instead of a redirect, the cookies are visible in the browser’s DevTools. However, when I use the Redirect to send the user back to the frontend, the cookies are not set.
The problem occurs only in the production environment, which uses HTTPS for both the backend and frontend. It works perfectly fine locally over HTTPS.
Here’s my Program.cs setup:
CORS is configured to allow credentials:
builder.Services.AddCors(options =>
{
options.AddPolicy("AllowFrontend",
policy =>
{
policy.WithOrigins("https://my-website")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials(); // Required for cookies
});
});
Cookies are configured with SameSite=None and Secure=true.
ForwardedHeadersOptions is set for proxies:
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});
OpenID Connect options:
options.NonceCookie.SameSite = SameSiteMode.None;
options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
options.CorrelationCookie.SameSite = SameSiteMode.None;
options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
I’ve ensured both the backend and frontend are served over HTTPS in production. I also checked the browser’s DevTools and confirmed that no cookies are being set during the redirect in production.
What could be causing the cookies to not persist in production after a redirect? How can I ensure that cookies are set properly and persist across the login flow?
By "appear to disappear," I mean that the cookies set in the PostLoginRedirect action are not visible in DevTools > Application > Cookies under the backend domain after the redirect to the frontend. They also don’t appear in the Cookie header of subsequent requests made to the backend from the frontend. Both frontend and backend are on different top-level domains. I’ve configured cookies with SameSite=None and Secure=true. Could this be due to third-party cookie blocking, or am I missing something?
Upvotes: 0
Views: 32
Answers (1)
Reputation: 19901
If you think ForwardedHeaders is the problem, then you can try to clear the options below. Also, do check the logs for the ForwardedHeaders middleware. In prodution you should set the KnownProxies to ensure you only trusts traffic from your proxy. By default, its set to localhost I think.
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.All;
options.AllowedHosts.Clear();
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
});
I did a blog post about Exploring the Forwarded Headers Middleware in ASP.NET Core.
Upvotes: 0
Related Questions
- This Set-Cookie didn't specify a "SameSite" attribute and was default to "SameSite=Lax" - Localhost
- I am getting CORS error when cookies are not set
- Condtionally set ASP.NET session and authentication cookies samesite value based on browsers
- How can I set the 'secure' flag for cookies in an ASP.NET MVC website?