23

I have three applications in my solution, all built in asp.net core 1 MVC 6.

  • App 1 is an MVC app used for authenticating a user.
  • App 2 is an Angular SPA app and is the main app in the solution.
  • App 3 is an MVC web api application.

In app 3, I have the usual asp.net core SignInManager and UserManager code (the same code as you get by default when you start a new MVC 6 template - only different is, it exists in my web api here). And the login/logout/register etc is exposed via web api methods in my AccountController. This allows me to lock down the web api, so only authenticated requests get processed (using the [Authorize] attribute).

When I call the "Login" method in my AccountController, if login is successful - it returns a Set-Cookie directive with the following name: ".AspNet.Microsoft.AspNet.Identity.Application" (this is used for authentication)

The login app then forwards the user from App1 to App2. All subsequent requests to the web api (App3) are then Authenticated and allowed to be executed. NOTE: By subsequent requests - specifically I mean, within App2, angular calling to ask for data from the web service.

All of this works fine - well, it works in IE fine. Which brings my to my question, why would this not be working in Chrome? I see the "Set-Cookie" directive coming back from the response of the web api Login in chrome, but subsequent requests do not have this cookie attached.

What am I doing wrong?

NOTE: My Http Response from the login method looks like this:

    HTTP/1.1 200 OK
        Cache-Control: no-cache
        Pragma: no-cache
        Content-Type: application/json; charset=utf-8
        Expires: -1
        Server: Kestrel
        Set-Cookie: .AspNet.Microsoft.AspNet.Identity.Application=CfDJ8FWIuvXs-TxKoIYE8259iAY52B_VZDPTTvYwZ-WAo8hhPCdLhmUfxNZD1wjxEt0sqqnZl6NomwHPNTNFkBxsq4cw_WkQYklnj_dK79wodIguLdPXAbKu6UbS6HKRBxFxjOKVAfIdyxZJ6xA2CtnR9nJC_CSg7v1vFSzgDEiSBso8D3aDNjzFk8
7oIJodC7WLVxWUqdUpjaGRCXqHTYjTwgL9DCihnajAlB921_oEPinUwIPP8g_ugCQmqbFq6kgQ-GwPTifBKRlbtwNsDwbetynl1gIqzELyjgEUAKgtpD9SX7FSjl1grxoGRjbPiXJe-k1SSdnUIHR7wYPkFpiis_c_P1pGkmSyeiDG-lf0xftTlXlnC3BWMbgXeWZn_hsDzbW_Tek3qiq_NB-T0IMGaJgjRnr5DARNcOACWbzwGvHFjsn7n0u7-UZOfzgQJ76d3ra-hjra
    -aNcHLgbfDef3TK6z_CKt2iIlnTkyEJXC-3OSGnfWDRvofvQ216UApEPiKoJxiCjWSvGAQCzvf9P1TtKuwAQVxfWz8pL077E-Wfc-4ybtrT6Ivz2VbdFng5Ze5IQ5YWfYYTpDhLSHGKnpFgxVf96f7JwoXlgRq0gs7yEWdWFZs6d18pw-El5sLJr7g; path=/; secure; httponly
        Access-Control-Allow-Origin: *
        X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcUm9iZXJ0XERlc2t0b3BcSEJFIE1hbmFnZXJcTUFJTlxCbHVlem9uZSBXZWJBcGlcc3JjXEJ6LkFwcGxpY2F0aW9uXEJ6LkFwcGxpY2F0aW9uLkFwaVx3d3dyb290XGFwaVxhY2NvdW50XExvZ2lu?=
        X-Powered-By: ASP.NET
        Date: Wed, 04 May 2016 10:39:57 GMT
        Content-Length: 16
Rob
  • 6,819
  • 17
  • 71
  • 131
  • Are the domains hosting those 3 apps the same? – janv8000 May 13 '16 at 06:58
  • Yea - as in, its localhost then a different port for each app – Rob May 13 '16 at 11:22
  • 1
    That might be the issue, I've found a couple of questions regarding Chrome and localhost cookies, see http://stackoverflow.com/questions/8134384, http://stackoverflow.com/questions/7346919 – janv8000 May 15 '16 at 16:36

3 Answers3

22

Hi I had this problem too.

While my localhost environment in VS worked fine and my user could be logged in this didn't worked in the published environment for chrome.

This began when I was trying some self-signed-certificate stuff in IIS on my pre-production-environment by turining on https with configured bindings. And after that I went back to http.

What you could try in Chrome is this: Open the developer-tools goto tab Application and in the left pane choose Clear storage. Under the diagram on the right click Clear site data even if the usage shows 0 Bytes used. Do it anyway.

Finally I got my application with login features back.

Hope that this will help someone, too.

Sum1Unknown
  • 1,032
  • 1
  • 9
  • 14
  • 2
    Confirmed that it even works if "0 Bytes Used" is stated. You just saved my day. – Graham Meehan Nov 29 '19 at 20:06
  • 1
    Worked for me too. I encountered this issue with Chrome (no other browser) when running [A better way to handle ASP.NET Core authorization](https://www.thereformedprogrammer.net/a-better-way-to-handle-asp-net-core-authorization-six-months-on) on LocalHost. +1 – Yogi Mar 02 '20 at 19:21
  • 1
    Thanks, saved my sanity after 3 hours of trying to debug an application that was running just fine.. – Mudo Jun 17 '20 at 04:42
  • You saved the day bro.. Thank you very much. – Cem Dec 14 '20 at 08:55
13

In my case, we had a C# ASP.NET Core 2.1 MVC application which was working fine when I launch in Google Chrome. But one fine day it stopped working.

In Google Chrome Developer Tools I saw below

First, I noticed that Application -> Cookies .AspNetCore.Session was missing.

Second, in Console I noticed below warning.

A cookie associated with a resource at http://myapplication.company.net/ was set with SameSite=None but without Secure. It has been blocked, as Chrome now only delivers cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

I did below to fix it.

In our application, in Startup.cs I had like below

public void ConfigureServices(IServiceCollection services)
{
  services.Configure<CookiePolicyOptions>(options =>
  {
     options.MinimumSameSitePolicy = SameSiteMode.None;
     
  });
}

We changed like below

public void ConfigureServices(IServiceCollection services)
{
  services.Configure<CookiePolicyOptions>(options =>
  {
     options.MinimumSameSitePolicy = SameSiteMode.Strict;
     
  });
}

It solved the issue. I also noticed that in Developer Tools now I can see Application -> Cookies .AspNetCore.Session

Irvin Dominin
  • 30,819
  • 9
  • 77
  • 111
Ziggler
  • 3,361
  • 3
  • 43
  • 61
  • 1
    This happened to me with the Consent cookie using Asp.Net Core 3.1 and the latest Chrome. Works perfectly with SameSiteMode.Strict – Ilias.P Sep 01 '20 at 09:06
  • 1
    It happened to me with Language Cookie on ASP.NET Core 3.1. Lost 3-4 hours trying to fix it and this config worked. Thanks! – apostolov Sep 11 '20 at 12:44
  • Lost so much time trying to figure out why cookies would work when running the project locally but not in prod. This config saved the day, thank you! – Tyler Edwards Apr 08 '22 at 03:43
1

I had the same problem, it worked in IE, Edge but not in Chrome, Firefox and Opera.

It seem a cookie size problem, and I solved reducing the data in the cookie.

See this for size limits: chrome cookie size limit

Ale_Mengo
  • 11
  • 1