Antiforgery issue when hosted in AWS ECS

[drond]

Hello!

I'm using steam auth in my app (.NET 8 Blazor ssr app) and came across the issue - when running localy (pure dotnet or doker) everything goes well Auth working as expected, but once I've published my App into AWS ECS cluster it stopped working.

Looks like there is some issue with Antiforgery cookies:

• '.AspNetCore.Correlation.**' cookie not found.
• Error from RemoteAuthentication: The authentication response was rejected because the anti-forgery token was invalid.

Maybe you could help with solving that as I'm totally exhausted with googling anything related to that issue :(

PS Meanwhile deployed my app (kinda just an pure API with steam auth) into DigitalOcean and it works... but not in AWS

[martincostello]

• Where are you storing your data protection keys? It could be that they're not being stored in a shared location that all the ECS pods can access so don't agree on all the settings. Documentation
• Have you configured HTTP forwarded headers to be trusted appropriately so that things like whether the request is over HTTPS are honoured? It could be that things aren't being trusted correctly, so the app things requests are over HTTP instead of HTTPS, so cookies get "lost". Documentation.

[AndreiShirmanov]

• Where are you storing your data protection keys? It could be that they're not being stored in a shared location that all the ECS pods can access so don't agree on all the settings. Documentation
• Have you configured HTTP forwarded headers to be trusted appropriately so that things like whether the request is over HTTPS are honoured? It could be that things aren't being trusted correctly, so the app things requests are over HTTP instead of HTTPS, so cookies get "lost". Documentation.

Thank you for rapid reaction

1) there is a single pod within single service in ECS, and i even tried AWS solution that stores protection keys in shared systems manager.

2) looks like this one i have to investigate a bit deeper, will take a look and get back to you

[drond]

• Where are you storing your data protection keys? It could be that they're not being stored in a shared location that all the ECS pods can access so don't agree on all the settings. Documentation
• Have you configured HTTP forwarded headers to be trusted appropriately so that things like whether the request is over HTTPS are honoured? It could be that things aren't being trusted correctly, so the app things requests are over HTTP instead of HTTPS, so cookies get "lost". Documentation.

Soooo, after futher investigation I've noticed a warning in Chrome about attempt to set SECURE cookie over HTTP request (I didn't set up https yet). And in my cookie policy it was set to AlwaysSecure/SameSite.None. So i've changed config to SameAsRequest/SameSite.Lax and boom, done. Anyway thank you for your help )

PS I understand that using non-secure cookies is not a good idea, but so far so good, I don't have experience in setting up certificates etc :)