Cookie set from API is not included in callback

[jahlen]

Hi!

I have developed a quickstart template for Azure Static Web App / Hugo / Netlify CMS. https://github.com/jahlen/hugo-azure-static-webapp

It implements Netlify CMS to GitHub authentication via an Azure Function (found under /api/OAuth.cs). For the OAuth authentication, I tried saving the state in a cookie, but it won't work. Here's my code where I set the cookie:

[FunctionName("Auth")]
public static IActionResult Auth(
    [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req,
    ILogger log)
{
    var state = CreateRandomString();
    req.HttpContext.Response.Cookies.Append(CookieName, state, new CookieOptions { HttpOnly = true, SameSite = SameSiteMode.Lax, Secure = true});
    var authorizationUrl = $"{AuthorizationUrl}?response_type=code&client_id={ClientId}&redirect_uri={WebUtility.UrlEncode(RedirectUri)}&scope={WebUtility.UrlEncode(Scope)}&state={WebUtility.UrlEncode(state)}";

    return new RedirectResult(authorizationUrl);
}

The problem is that the cookie is NOT included when the users is sent to the redirect_uri, even if it is on the same domain. If I manually go to the redirect_uri in my browser, the cookie will be included. Maybe this is a difference in behavior between strict and lax? I note that it sets samesite to strict even if I specify it to be lax.

Anything wrong I am doing with the cookie?

[miwebst]

Hey @jahlen, there were some fixes that went out relating to how Functions could be used for setting cookies. Is this issue still happening?

[jahlen]

Hey @miwebst, yes the problem remains. The cookie is still set as samesite=strict even if I set it to lax:

req.HttpContext.Response.Cookies.Append(CookieName, state, new CookieOptions { HttpOnly = true, SameSite = SameSiteMode.Lax, Secure = true});

Here is the source code.

I've tried many ways to circumvent it, but I always get a samesite=strict cookie.

[mkarmark]

Hi @jahlen, thanks for bringing this to our attention! We are looking into this and will post here when we have a fix for this out. Thanks for your patience!

[re-sounding]

Hey @mkarmark, is there any update on this issue?

I'm running into the same problem: any cookie returned by an Azure function (I'm using a static web app + functions) with SameSite set to lax is changed to strict.

I'm using node. My project is setup with a proxy but this issue also happens for functions that don't match the proxy.

context.res = {
    status: 200,
    cookies: [{
        name: 'HelloWorld',
        value: 'abc',
        path: '/',
        sameSite: 'Lax',
    }],
};

My temporary workaround is to return the cookie string to the front end and set it from there...but that is far from ideal.

[re-sounding]

Pinging this thread again. Any updates?

[mortezaadi]

I ran to the same issue, apparently; it happens only in chrome while it works perfectly fine in Safari. at least this is what happens to me, Are you using Chrome?

[re-sounding]

I was indeed testing on Chrome.

[mortezaadi]

@re-sounding, apparently there is a bug related to cookies with google chrome, they are planning something long term with their cookies -> https://blog.google/products/chrome/updated-timeline-privacy-sandbox-milestones/ you can read more here: https://blog.heroku.com/chrome-changes-samesite-cookie

according to my investigation setting sameSite to 'Lax' solves the chrome issue, but I found Azure-function doesn't set sameSite at all, it completely ignores it! It's apparently another bug for Function app :(

PS: I'm using Node + FunctionApp

[mhabegger]

any update on the function app side?

[MagicMaxxx]

Hi, any update on this issue? Having the same issue described above...