Closed JaapMosselman closed 4 years ago
Tratcher
commented
4 years ago You're right that this doesn't sound SameSite specific, though it's odd that it's browser specific.
The usual issue with vanishing cookies is addressed by adding the SystemWebCookieManager: https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues
JaapMosselman
commented
4 years ago @Tratcher Thanks for your response. Using the SystemWebCookieManager seems to fix the problem. But still strange that the .NET Framework update seems to trigger this issue now. I even removed the update from the server, which fixed the problem and after reinstalling again, the problem was there also again. BTW: is it just save to start using the SystemWebCookieManager? No performance implications or other known issues?
Tratcher
commented
4 years ago Yes, SystemWebCookieManager (or SystemWebChunkingCookieManager) use is recommended when running on IIS.
JaapMosselman
commented
4 years ago Ok, if I am right the ChunkingCookieManager is what is default used by Owin, isn't it? So I can best use SystemWebChunkingCookieManager, I think.
Tratcher
commented
4 years ago Yes, ChunkingCookieManager is the default for CookieAuthenticationOptions.
I have .NET Framework 4.7 ASP.NET MVC application using Owin with Owin Ws-Federation for AAD authentication. After the .NET Framework update was installed on the server last week, we could not authenticate with AAD in some cases. I updated to Owin 4.1 but that did not fix the problem. When I used Chrome (79) it dit not work, but when I use Edge it just works. So I analyzed by debugging the application (got Owin code locally to debug it). What I saw was that the /signing-federation POST callback is just there with the correct information. The Owin Ws-Federation middleware sets the .AspNet.External cookie with the identity. But for some reason that cookie seems to be left out from the actual written response. With Chrome it is not in the response. With Edge it is. I looked even with Fiddler to the response to verify that. I can't see why it would be UA dependent. So it seems randomly. In my opinion this has nothing to do with the SameSite changes which just should do something with a value inside the cookie. Any idea what's going on here?