1

I'm running my aspnet core application locally on http://localhost:5002 and for some reasons I don't want to use https. It uses OpenIdConnect middleware for authentication and it produces temporary cookie as shown below:

enter image description here

As a result Chrome blocks these cookies because of missing secure flag. From the other hand this request is HTTP (insecure) and it's impossible to mark the cookies secure. The only way I see is to avoid using HTTP and switch to HTTPS which is not a good option for me for local development. Can I still use HTTP + OpenIdConnect middleware + Crome and what is a workaround?

neleus
  • 2,230
  • 21
  • 36
  • `OpenIdConnect` has a property called `bool RequireHttpsMetadata` did you try to disable it? And did you run your app on https before? because of `HSTS` sometimes the site is cached as https and need to be purged from cache. – HMZ Sep 24 '20 at 18:41
  • Yes, I run the app on https previously. Now I tried `options.RequireHttpsMetadata = false` and clear hsts cache in chrome but no luck. Also I found similar issue and they had to reinstall VisualStudio to fix that. https://stackoverflow.com/a/58892860/2528649 That's so disappointing. – neleus Sep 25 '20 at 07:28
  • Actually that link https://stackoverflow.com/a/58892860/2528649 is not related to SameSite=none so that solution cannot help – neleus Sep 25 '20 at 07:35

1 Answers1

2

Perhaps this could shed some light- LINK.

From the article

Chrome is changing the default behavior for how cookies will be sent in first and third party contexts. Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax, i.e. they will be restricted to first-party or same-site contexts by default. Cookies that are intended for third-party or cross-site contexts must specify SameSite=None and Secure. Note: this also means cross-site or third-party cookies are restricted to secure / HTTPS connections only.

Since, I am guessing, your auth server is server from another domain its a third-party cookie, so it falls under the new Chrome (>= v80) policies.

The workaround here would be either a downgrade in your Chrome version or use a browser without these restrictions.

MultiValidation
  • 823
  • 7
  • 21
  • 1
    `Note: this also means cross-site or third-party cookies are restricted to secure / HTTPS connections only.` It means on Chrome >=80 we should forget about HTTP. Thanks for the info. – neleus Sep 25 '20 at 15:36