ASP.net core auth cookie not being set in Google Chrome when running in dev

Question

I have three applications in my solution, all built in asp.net core 1 MVC 6.

• App 1 is an MVC app used for authenticating a user.
• App 2 is an Angular SPA app and is the main app in the solution.
• App 3 is an MVC web api application.

In app 3, I have the usual asp.net core SignInManager and UserManager code (the same code as you get by default when you start a new MVC 6 template - only different is, it exists in my web api here). And the login/logout/register etc is exposed via web api methods in my AccountController. This allows me to lock down the web api, so only authenticated requests get processed (using the [Authorize] attribute).

When I call the "Login" method in my AccountController, if login is successful - it returns a Set-Cookie directive with the following name: ".AspNet.Microsoft.AspNet.Identity.Application" (this is used for authentication)

The login app then forwards the user from App1 to App2. All subsequent requests to the web api (App3) are then Authenticated and allowed to be executed. NOTE: By subsequent requests - specifically I mean, within App2, angular calling to ask for data from the web service.

All of this works fine - well, it works in IE fine. Which brings my to my question, why would this not be working in Chrome? I see the "Set-Cookie" directive coming back from the response of the web api Login in chrome, but subsequent requests do not have this cookie attached.

What am I doing wrong?

NOTE: My Http Response from the login method looks like this:

    HTTP/1.1 200 OK
        Cache-Control: no-cache
        Pragma: no-cache
        Content-Type: application/json; charset=utf-8
        Expires: -1
        Server: Kestrel
        Set-Cookie: .AspNet.Microsoft.AspNet.Identity.Application=CfDJ8FWIuvXs-TxKoIYE8259iAY52B_VZDPTTvYwZ-WAo8hhPCdLhmUfxNZD1wjxEt0sqqnZl6NomwHPNTNFkBxsq4cw_WkQYklnj_dK79wodIguLdPXAbKu6UbS6HKRBxFxjOKVAfIdyxZJ6xA2CtnR9nJC_CSg7v1vFSzgDEiSBso8D3aDNjzFk8
7oIJodC7WLVxWUqdUpjaGRCXqHTYjTwgL9DCihnajAlB921_oEPinUwIPP8g_ugCQmqbFq6kgQ-GwPTifBKRlbtwNsDwbetynl1gIqzELyjgEUAKgtpD9SX7FSjl1grxoGRjbPiXJe-k1SSdnUIHR7wYPkFpiis_c_P1pGkmSyeiDG-lf0xftTlXlnC3BWMbgXeWZn_hsDzbW_Tek3qiq_NB-T0IMGaJgjRnr5DARNcOACWbzwGvHFjsn7n0u7-UZOfzgQJ76d3ra-hjra
    -aNcHLgbfDef3TK6z_CKt2iIlnTkyEJXC-3OSGnfWDRvofvQ216UApEPiKoJxiCjWSvGAQCzvf9P1TtKuwAQVxfWz8pL077E-Wfc-4ybtrT6Ivz2VbdFng5Ze5IQ5YWfYYTpDhLSHGKnpFgxVf96f7JwoXlgRq0gs7yEWdWFZs6d18pw-El5sLJr7g; path=/; secure; httponly
        Access-Control-Allow-Origin: *
        X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcUm9iZXJ0XERlc2t0b3BcSEJFIE1hbmFnZXJcTUFJTlxCbHVlem9uZSBXZWJBcGlcc3JjXEJ6LkFwcGxpY2F0aW9uXEJ6LkFwcGxpY2F0aW9uLkFwaVx3d3dyb290XGFwaVxhY2NvdW50XExvZ2lu?=
        X-Powered-By: ASP.NET
        Date: Wed, 04 May 2016 10:39:57 GMT
        Content-Length: 16

Answer 1

Hi I had this problem too.

While my localhost environment in VS worked fine and my user could be logged in this didn't worked in the published environment for chrome.

This began when I was trying some self-signed-certificate stuff in IIS on my pre-production-environment by turining on https with configured bindings. And after that I went back to http.

What you could try in Chrome is this: Open the developer-tools goto tab Application and in the left pane choose Clear storage. Under the diagram on the right click Clear site data even if the usage shows 0 Bytes used. Do it anyway.

Finally I got my application with login features back.

Hope that this will help someone, too.

Answer 2

In my case, we had a C# ASP.NET Core 2.1 MVC application which was working fine when I launch in Google Chrome. But one fine day it stopped working.

In Google Chrome Developer Tools I saw below

First, I noticed that Application -> Cookies .AspNetCore.Session was missing.

Second, in Console I noticed below warning.

A cookie associated with a resource at http://myapplication.company.net/ was set with SameSite=None but without Secure. It has been blocked, as Chrome now only delivers cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

I did below to fix it.

In our application, in Startup.cs I had like below

public void ConfigureServices(IServiceCollection services)
{
  services.Configure<CookiePolicyOptions>(options =>
  {
     options.MinimumSameSitePolicy = SameSiteMode.None;
     
  });
}

We changed like below

public void ConfigureServices(IServiceCollection services)
{
  services.Configure<CookiePolicyOptions>(options =>
  {
     options.MinimumSameSitePolicy = SameSiteMode.Strict;
     
  });
}

It solved the issue. I also noticed that in Developer Tools now I can see Application -> Cookies .AspNetCore.Session

Answer 3

I had the same problem, it worked in IE, Edge but not in Chrome, Firefox and Opera.

It seem a cookie size problem, and I solved reducing the data in the cookie.

See this for size limits: chrome cookie size limit