Owin .AspNet.Correlation. cookie not found

[LumaiRashad]

I am using Microsoft.Owin.Security.Google version 4.1.0.0, it was working fine until suddenly I found out that loginInfo returns null

 var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();

After checking the logger I found out that ValidateCorrelationId returns false,

                 // OAuth2 10.12 CSRF
                if (!ValidateCorrelationId(Options.CookieManager, properties, _logger))
                {
                    return new AuthenticationTicket(null, properties);
                }

Logger :

Microsoft.Owin.Security.Google.GoogleOAuth2AuthenticationMiddleware Warning: 0 : .AspNet.Correlation.Google cookie not found.
    ProcessId=12152
    DateTime=2020-08-30T14:56:07.5600804Z
and that .AspNet.Correlation.Google cookie not found. 

Which means
correlationCookie is null.

My Startup.Auth.cs

            // Enable the application to use a cookie to store information for the signed in user
            // and to use a cookie to temporarily store information about a user logging in with a third party login provider
            // Configure the sign in cookie
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.  
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                },
                CookieManager = new SystemWebCookieManager()
            });

            //app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
            app.SetDefaultSignInAsAuthenticationType(DefaultAuthenticationTypes.ExternalCookie);
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ExternalCookie,
                AuthenticationMode = AuthenticationMode.Passive,
                CookieName = CookiePrefix + DefaultAuthenticationTypes.ExternalCookie,
                ExpireTimeSpan = TimeSpan.FromMinutes(5),
                CookieManager = new SystemWebCookieManager()
            });

            // Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
            app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));

            // Enables the application to remember the second login verification factor such as phone or email.
            // Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
            // This is similar to the RememberMe option when you log in.
            app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);

            var googleOptions = new GoogleOAuth2AuthenticationOptions
            {
                ClientId = ConfigHelper.GetConfigSettingValue("GoogleAppID"),
                ClientSecret = ConfigHelper.GetConfigSettingValue("GoogleAppSecret"),
            };
            app.UseGoogleAuthentication(googleOptions);

[Tratcher]

Can you share a Fiddler trace of the login flow?

Which browser are you using?

[LumaiRashad]

Fiddler's Trace: https://bit.ly/3lyPbE0

Using google chrome browser.

[Tratcher]

On request 2 the cookie is issued as Set-Cookie: .AspNet.Correlation.Google=osdI... path=/; HttpOnly; SameSite=None, setting SameSite=None but not secure. It's not set as secure because you're initiating the login over http rather than https.

Chrome is now requiring that all SameSite=None cookies also be marked as secure. You're going to need to make sure your logins happen over https.

[ghost]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.