search

Azure / static-web-apps

Azure Static Web Apps. For bugs and feature requests, please create an issue in this repo. For community discussions, latest updates, kindly refer to the Discussions Tab. To know what's new in Static Web Apps, visit https://aka.ms/swa/ThisMonth
https://aka.ms/swa
MIT License
326 stars 56 forks source link

Set-Cookie header not showing when expiry attribute contains an expired date #1214

Open keidyz opened 1 year ago

keidyz commented 1 year ago

Describe the bug When the managed function returns a response with the "Set-Cookie" header, the set cookie header would not exist if it has an expiry attribute that is set to a past date

// won't appear in the response headers
'Set-Cookie': '_test=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure'

// will appear in the response headers assuming execution date is before 'Thu, 01 Jan 2024 00:00:00 GMT'
'Set-Cookie': '_test=; Path=/; Expires=Thu, 01 Jan 2024 00:00:00 GMT; Secure'

To Reproduce Steps to reproduce the behavior:

  1. Create a server-side rendered static web app with the server-side of the app hosted in a managed function
  2. On the server-side, when creating a response, use the Set-Cookie header and set its value to _test=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure
  3. Make sure your code is deployed into Azure
  4. Trigger the route in the deployed app that would give you the response that should contain the Set-Cookie header
  5. Observe that the header does not exist

Expected behavior Set-Cookie should always appear regardless of expiry attribute being expired

Device info (if applicable):

Additional context Works locally, issue only arises when deployed to Azure

ndamkjaer commented 9 months ago

I'm also facing this issue. Although with using APIM as backend. When ever a Set-Cookie header contains an Expires attribute that is expired the header is removed from the response by the static web app proxy.

As a consequents of this we are not able to use the API backend to set and expire authentication cookies used by cookie authentication in dotnet core.

How do we fix this?

keidyz commented 9 months ago

@ndamkjaer What I used instead of Expires is Max-Age; Like Max-Age=0 to indicate that the cookie should immediately expire. It worked pretty well.

torjussa commented 1 week ago

Same issue here. Works locally, but not deployed to swa.

The bug makes the SignOutAsync() function of .Net Cookie Authentication unusable when communicating with a Static Web App, as it uses Expires in the set-cookie header

@keidyz solution is a nice workaround: Manually added a Set-Cookie header with Max-age to the response.