The nonce cookie's Secure flag is set in RememberNonce() and is based on whether the Request is secure or not. This causes issues where a web app is deployed via a reverse proxy that is doing TLS offloading and the back end connection is not secure.
With SameSite = None, the cookie should always be secure; however, there may be times when the cookie should honour the request.
The solution here would be to adopt the value for CookieAuthenticationOptions.CookieSecure set in UseCookieAuthentication(). By default, CookieAuthenticationOptions.CookieSecure is set to CookieSecureOption.SameAsRequest which is consistent with the current behaviour. The advantage is that the default can be overridden with CookieSecureOption.Always and allows for an insecure request to return the nonce cookie marked as Secure.
The nonce cookie's Secure flag is set in RememberNonce() and is based on whether the Request is secure or not. This causes issues where a web app is deployed via a reverse proxy that is doing TLS offloading and the back end connection is not secure.
With SameSite = None, the cookie should always be secure; however, there may be times when the cookie should honour the request.
The solution here would be to adopt the value for
CookieAuthenticationOptions.CookieSecure
set in UseCookieAuthentication(). By default,CookieAuthenticationOptions.CookieSecure
is set toCookieSecureOption.SameAsRequest
which is consistent with the current behaviour. The advantage is that the default can be overridden withCookieSecureOption.Always
and allows for an insecure request to return the nonce cookie marked as Secure.