I cannot get Google Chrome to send an AspNetIdentity authentication cookie as part of a request when running my Angular 6 app on a different port than my API. I have tested auth by hosting the application in minified version on the API port (currently :4213) and it works just fine. My Angular app on :4200 receives the cookie; it is visible in F12 DevTools; it will not send it as part of a GET request.
Relevant sections of my pipeline:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme);
//skipping Identity stuff, but it's there
services.ConfigureApplicationCookie(options =>
{
//options.IdleTimeout = TimeSpan.FromSeconds(10); // for testing only
options.Cookie.HttpOnly = true; // prevent JavaScript access
options.Cookie.Expiration = TimeSpan.FromDays(150); // half a year?
options.Cookie.SameSite = SameSiteMode.None;
}
services.AddCors(options => {
options.AddPolicy(StartupConfiguration.AllowCredentials, builder => {
builder.WithOrigins("https://localhost:4213", "https://localhost:4200")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
});
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseCors(StartupConfiguration.AllowCredentials);
app.UseCookiePolicy(new CookiePolicyOptions {
MinimumSameSitePolicy = SameSiteMode.None
});
// Again, skipping ASP.NET Identity configuration, but it's there.
}
StartupConfiguration.AllowCredentials is just a static field that returns the string "AllowCredentials" (I despise magic strings).
The authentication methods are almost entirely irrelevant to this problem, because they are working just fine, but for the curious, they can be found here.
Housekeeping:
This question has a similar appearance, but the problem is different; I'm getting the cookie just fine, but the browser isn't sending it.
This question has an answer that seems to imply that I shouldn't be having this problem at all, since the only domain involved is localhost. Nevertheless, I am.
This question was helpful, but I have since removed the Lax property from the SameSite field of the cookie, and I'm still having the same problem.
Illustration of the problem:
Start app on :4213 via dotnet run. Navigate to my app's /welcome route. Click login. I'm redirected to a login page hosted on the same port. I login, it's successful, I'm redirected to the /welcome route again, but this time it sees that I am signed in. There's a cookie in my browser:
...and on subsequent requests to the server, that cookie is automatically sent.
Okay; so, I open a new terminal and I run
ng serve --host 0.0.0.0 --ssl true --ssl-key ./ssl/server.key --ssl-cert ./ssl/server.crt --configuration local-dev
...which starts the same app, with the same code, browsable via :4200 using the same protocol as the .NET Core app. I delete the cookie, just for kicks (but it doesn't matter, because even if I keep the cookie, it doesn't work). :4200/welcome -> :4213/id/login -> :4200/welcome (logged in). I now have the same cookie that I just deleted, but when the /welcome screen tries to determine if it is logged in by hitting the Authorize method (see link above), it will not send the cookie!
So in short, even though I am receiving the cookie, and it is being set, my browser will not send it. I have also tried Safari. Based on the info in the other questions, I do not understand why I am experiencing this problem. Any help would be appreciated.
Just to be clear, my question is:
How can I get my browser to send a cookie received via a different port from an app running on the same host but another port?
Thank you.
