Browser doesn't set cookie even if it is present in response headers

Question

My response has a set-cookie header present but the browser doesn't seem to store it (in postman it works like a charm). My API is written in .NET Core, and im using axios (React) on the client. The client requests are, however, proxied through an express server for SSR purposes.

I have tried multiple solutions posted here. From the basics of setting withCredentials to true in axios to setting the MinimumSameSitePolicy on the server to none which can be seen in the code.

Server

services.Configure<CookiePolicyOptions>(options =>
            {
                // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                options.CheckConsentNeeded = context => false;
                options.MinimumSameSitePolicy = SameSiteMode.None;
                options.ConsentCookie.HttpOnly = false;
            });
..........
 app.UseCookiePolicy(new CookiePolicyOptions
            {
                MinimumSameSitePolicy = SameSiteMode.None,
                HttpOnly = HttpOnlyPolicy.None
            });

Client

const axiosInstance = axios.create({
  baseURL: '/api',
  withCredentials: true,
  headers: {
    'Access-Control-Allow-Origin': 'http://localhost:3000/',
    'Content-Type': 'application/json'
  }
});

Proxy

app.use(
  '/api',
  proxy('https://localhost:44364/', {
    proxyReqOptDecorator(opts) {
      opts.rejectUnauthorized = false;
      opts.headers['x-forwarded-host'] = 'localhost:3000';
      return opts;
    },
    proxyReqPathResolver(req) {
      return `/api${req.url}`;
    }
  })
);

The response with cookie:

HTTP/1.1 200 OK
x-powered-by: ASP.NET
cache-control: no-cache
pragma: no-cache
content-type: text/plain; charset=utf-8
expires: Thu, 01 Jan 1970 00:00:00 GMT
server: Kestrel
set-cookie: .AspNetCore.Cookies=CfDJ8KvV0sFM8_FJqzJkoUey_LvYSADPHUA20Mq40db0KYSbL9Q2ZjS2JW87G8CzcTDBIpG1H6mZ_nuThzOniga7oRpguIgi3xIFCjkY5D0DXwT98ZVejY7nzLaCmV9rGLMkkqqADbr0zzwUkzXQqtWMtubY0cdHXPskTWFucMjjYk0BU4eCuWOjRzooL-QtwYtDClP720LVetm8lZGvAS6jfYpk-HWZIQiDo1ERKqhyIWKYqSFBEN0nV4ykL6KhfqEjcK8URzTEnBxdV7dCpk287smjAzTvOziRWfO6BtpxXC2tZ9NBeTLLqitn_CaAypewt9qMnjMi75zazo6yicRlTsDp-i3LT0OkD_ls1celSeG1VPlTg0OMVm0nADpZurMT9LSrijsSrcFT0wvNSTeW9vE; path=/; secure; samesite=lax; httponly
x-sourcefiles: =?UTF-8?B?QzpcVXNlcnNcTWFrYWxhXERlc2t0b3BcUm91dG9yaWFsXFJvdXRvcmlhbEFQSVxSb3V0b3JpYWxBUElcUm91dG9yaWFsQVBJXGFwaVxhY2NvdW50XGxvZ2luU3VibWl0?=
date: Sun, 26 May 2019 15:47:32 GMT
connection: close
Content-Length: 6
ETag: W/"6-+3OfqLi6+pGCkKvbVPPQANDiBD4"

Answer 1

In version 2.0, asp.net core introduced a new behavior: by default it adds a samesite=lax attribute to all set-cookie headers.

The Cookie Policy Middleware setting for MinimumSameSitePolicy can affect your setting of Cookie.SameSite in CookieAuthenticationOptions

Try to explicitly override this default behavior in Startup.ConfigureServices:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie(options =>
            {
                options => options.Cookie.SameSite = SameSiteMode.None;
            });

Refer to: AspNet Core Identity, how set options.Cookie.SameSite?

Answer 2

Thanks @Xing Zou! Your answer was close and made me think in the right direction. The CookiePolicyOptions were not working at all and didn't seem to override the default options. Instead, I used

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options =>
        {
             options.Cookie.SameSite = SameSiteMode.None;
             options.Cookie.HttpOnly = true;
             options.Cookie.SecurePolicy = CookieSecurePolicy.None;
        });

in ConfigureServices and

 app.UseAuthentication();

in Configure.

The browser wasnt setting the cookie when it had the secure flag so it had to be disabled with

options.Cookie.SecurePolicy = CookieSecurePolicy.None;