The cookie '.AspNetCore.Identity.Application' has set 'SameSite=None' and must also set 'Secure'

Asked 9/3, 2021 at 10:52 Answered 9/8 at 22:59

I followed these links:

These are my settings:

services.AddIdentityServer()
    .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

services.AddAuthentication()
    .AddIdentityServerJwt();

services.ConfigureNonBreakingSameSiteCookies();

// Adjust to this (or similar)
services
    .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
     {
        // add an instance of the patched manager to the options:
        options.CookieManager = new ChunkingCookieManager();
      });

And then in the configure:

app.UseCookiePolicy();

I am trying to run identity over http. I get those errors when setting certain (but not all) cookies, and I completely fail to delete the cookies in chrome

Crosspatch answered 9/3, 2021 at 10:52 Comment(0)

Everything is okay in your code, but you should more configure your cookies.

Add additional attributes - Secure, HttpOnly and SameSite in AddCookie. More information in official documentation

Example:

        services
           .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
           .AddCookie(options =>
           {
               // add an instance of the patched manager to the options:
               options.CookieManager = new ChunkingCookieManager();

                options.Cookie.HttpOnly = true;
                options.Cookie.SameSite = SameSiteMode.None;
                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
           });

Quintana answered 9/3, 2021 at 11:11 Comment(0)

In case anyone else comes across this and still has a problem. I ended up having to do a similar change for the NonceCookie and CorrelationCookie properties to get them to work. Our system is using Identity Server and lives behind a Load Balancer that also offloads the SSL piece.

services.AddAuthentication(options =>
{
   options.DefaultScheme = "cookies";
   options.DefaultChallengeScheme = "oidc";
})
.AddCookie("cookies", options =>
{
   options.Cookie.Name = "appcookie";
   options.Cookie.SameSite = SameSiteMode.Strict;
   options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
})
.AddOpenIdConnect("oidc", options =>
{
   options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
   options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
...
}

Chrissie answered 15/7, 2021 at 20:30 Comment(3)

SameSiteMode.Strict works for you? doesn't it have to be None for identity server to be able to set it on the client? – Stockjobber 10/9, 2021 at 16:8

@GuyLevy oddly enough it is working with SameSiteMode set to Strict. I had expected it to fail with that setting but it hasn't. – Chrissie 21/9, 2021 at 18:28

this doesn´t work for me in Chrome for .NET 7 and latest Identity Server packages as per today . Firefox doesn´t have that problem. Microsoft.AspNetCore.Authentication.OpenIdConnect 7.0.0 and Duende.IdentityServer 6.1.7 – Serene 20/11, 2022 at 17:6

Everything is okay in your code, but you should more configure your cookies.

Add additional attributes - Secure, HttpOnly and SameSite in AddCookie. More information in official documentation

Example:

        services
           .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
           .AddCookie(options =>
           {
               // add an instance of the patched manager to the options:
               options.CookieManager = new ChunkingCookieManager();

                options.Cookie.HttpOnly = true;
                options.Cookie.SameSite = SameSiteMode.None;
                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
           });

Quintana answered 9/3, 2021 at 11:11 Comment(0)

I know I'm late for the party. However, this is my solution. The following code was added to the ConfigureServices method.

services.Configure<AntiforgeryOptions>(config =>
        {
            config.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        });

        services.Configure<CookieTempDataProviderOptions>(config =>
        {
            config.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        });

        services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.HttpOnly = true;
            options.Cookie.SecurePolicy = _env.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
            options.Cookie.SameSite = SameSiteMode.Lax;
        });

Test answered 13/12, 2023 at 13:31 Comment(0)

Personally I prefer to set a cookie policy for all cookies used in the app like this;

app.UseCookiePolicy(new()
{
    HttpOnly = HttpOnlyPolicy.Always,
    Secure = CookieSecurePolicy.Always,
    MinimumSameSitePolicy = SameSiteMode.Lax,
});

Disembroil answered 30/5 at 7:2 Comment(0)

for ASP.NET Core WebApi with Identity and JWT

builder.Services.ConfigureApplicationCookie(options =>
{
    options.Cookie.Name = "learning-token";
    options.Cookie.HttpOnly = true;
    options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
    options.LoginPath = "/api/v1/Auth/Login";
    // ReturnUrlParameter requires 
    //using Microsoft.AspNetCore.Authentication.Cookies;
    options.ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
    options.SlidingExpiration = true;
});

Paletot answered 9/8 at 22:59 Comment(0)

Recommended topics

Hot tags