search

Azure / static-web-apps

Azure Static Web Apps. For bugs and feature requests, please create an issue in this repo. For community discussions, latest updates, kindly refer to the Discussions Tab. To know what's new in Static Web Apps, visit https://aka.ms/swa/ThisMonth
https://aka.ms/swa
MIT License
330 stars 56 forks source link

Cookies with sameSite or domain properties are not sent to client (non-local env) #760

Open benank opened 2 years ago

benank commented 2 years ago

When sending cookies as a response to a request in an included functions API (as part of a static web app), the cookies are not sent if they include the sameSite or domain properties. This only occurs in a deployed static web app - this issue is not present in local testing of the API functions.

To Reproduce Steps to reproduce the behavior:

  1. Create static web app with an API. Host it on Github and use a GH workflow to deploy to Azure static web apps.
  2. Set a cookie on the response with the sameSite: true or domain: "domain.com".
  3. Deploy static web app.
  4. Visit static web app API page (eg. /api/test) and inspect cookies in browser.
  5. Observe that the cookie was not set.

GitHub Actions workflow YAML file and staticwebapp.config.json files: files.zip

Expected behavior The cookie should be set, just like how it works when testing API functions locally with func start.

Device info:

rprasath commented 2 years ago

Is there any update on this issue. I am facing the same issue. Azure static web app reverse proxying the app service endpoints removes the cookie from response. Below is the cookie send by API

Set-Cookie: Auth=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure; samesite=lax; httponly

This Auth Cookie is not returned by static web app. Is there any documentation regarding how cookies returned from api's are handled by azure static web app / reverse proxy

kayakingcoder commented 2 years ago

I'm trying to write something to my browser's localstorage. Works locally, but doesn't work when deployed on static webapp. As localstorage and cookies are "the same thing" in many cases, I wonder if I'm experiencing the same problem.

MagicMaxxx commented 1 year ago

Hi, any update on this issue? Having the same issue described above...

marcingolenia commented 1 year ago

+1

mushrune commented 1 year ago

If we could get an update on this, that would be excellent. Not being able to pass any cookies to the browser locks you into the auth mechanisms Azure SWAs offer, which is frustrating if you are using an auth provider that is not supported by azure SWAs.

zebleck commented 1 year ago

also getting the error. no cookies being set when deployed

OwaisAD commented 11 months ago

Same issue. Static Web App as the client and Web App as the server. Locally it works sending a cookie and removing it on sign out, but deployed it doesn't set the cookie.....

paliandris02 commented 7 months ago

Same issue. Static Web App as the client and Web App as the server. Locally it works sending a cookie and removing it on sign out, but deployed it doesn't set the cookie.....

Hello, I am facing this issue right now, have you found any workaround to this?

OwaisAD commented 7 months ago

Same issue. Static Web App as the client and Web App as the server. Locally it works sending a cookie and removing it on sign out, but deployed it doesn't set the cookie.....

Hello, I am facing this issue right now, have you found any workaround to this?

Hello, Yea I managed to fix it by creating a cookie that has httpOnly: true, secure: true, secureOnly: true, sameSite: "None".  Also for my CORS configuration my allowedHeaders are ["Content-Type", "Access-Control-Allow-Headers", "Access-Control-Allow-Credentials"] with credentials: true. Are you getting any errors?

sethdorris commented 7 months ago

Same issue. Static Web App as the client and Web App as the server. Locally it works sending a cookie and removing it on sign out, but deployed it doesn't set the cookie.....

Hello, I am facing this issue right now, have you found any workaround to this?

Hello, Yea I managed to fix it by creating a cookie that has httpOnly: true, secure: true, secureOnly: true, sameSite: "None".  Also for my CORS configuration my allowedHeaders are ["Content-Type", "Access-Control-Allow-Headers", "Access-Control-Allow-Credentials"] with credentials: true. Are you getting any errors?

Are you using identity on your back end? Or did you manually create your cookie on the backend to get this to work? My react app is a static web app and I can't get it to send my cookie to my API

paliandris02 commented 7 months ago

Same issue. Static Web App as the client and Web App as the server. Locally it works sending a cookie and removing it on sign out, but deployed it doesn't set the cookie.....

Hello, I am facing this issue right now, have you found any workaround to this?

Hello, Yea I managed to fix it by creating a cookie that has httpOnly: true, secure: true, secureOnly: true, sameSite: "None".  Also for my CORS configuration my allowedHeaders are ["Content-Type", "Access-Control-Allow-Headers", "Access-Control-Allow-Credentials"] with credentials: true. Are you getting any errors?

My problem was that my Static web app blocked the cookie, because the root domain of the app service was not the same as the static web app obviously. Therefore a I bought a domain and in Azure I added it as a custom domain. And I set the cookie domain param to the domain I bought and now it works.

OwaisAD commented 7 months ago

Same issue. Static Web App as the client and Web App as the server. Locally it works sending a cookie and removing it on sign out, but deployed it doesn't set the cookie.....

Hello, I am facing this issue right now, have you found any workaround to this?

Hello, Yea I managed to fix it by creating a cookie that has httpOnly: true, secure: true, secureOnly: true, sameSite: "None".  Also for my CORS configuration my allowedHeaders are ["Content-Type", "Access-Control-Allow-Headers", "Access-Control-Allow-Credentials"] with credentials: true. Are you getting any errors?

Are you using identity on your back end? Or did you manually create your cookie on the backend to get this to work? My react app is a static web app and I can't get it to send my cookie to my API

I create cookies manually in my backend. It might be CORS configurations in your case. Remember to use credentials: "include" or credentials: true.

idan commented 3 months ago

We're running into this as well. There's no visibility or documentation about how cookies get stripped out from responses and how to control this behavior.

idan commented 2 months ago

I've created a minimal testcase showing this off:

https://github.com/githubnext/azureswacookies

IvanJobs commented 2 months ago

@idan thanks for making this repro repo. I'm looking into this issue right now and will come back once I got more insights.

IvanJobs commented 2 months ago

I didn't reproduce it by my own repo https://github.com/IvanJobs/vanilla-api. Is there anything else I should align so that I can repro it?

I set cookies here https://github.com/IvanJobs/vanilla-api/blob/main/api/GetMessage/index.js

idan commented 2 months ago

@IvanJobs hmm, I don't know.

Were you able to repro with the sample repo I provided?

It happens 100% consistently there.

idan commented 1 month ago

The mystery was resolved: Azure silently discards cookies with very long max-age. In this case, the cookie's max-age was set to 1000 years so as to effectively have no max-age. Azure silently removed the cookie.

My issue might not be related to this issue, so leaving this here for future folks running into trouble.

Thanks @IvanJobs for help with the investigation!