.NET Framework SameSite update and OWIN problem with Ws-Federation #324
Comments
|
You're right that this doesn't sound SameSite specific, though it's odd that it's browser specific. The usual issue with vanishing cookies is addressed by adding the SystemWebCookieManager: |
|
@Tratcher Thanks for your response. Using the SystemWebCookieManager seems to fix the problem. |
|
Yes, SystemWebCookieManager (or SystemWebChunkingCookieManager) use is recommended when running on IIS. |
|
Ok, if I am right the ChunkingCookieManager is what is default used by Owin, isn't it? |
|
Yes, ChunkingCookieManager is the default for CookieAuthenticationOptions. |
ghost
locked as resolved and limited conversation to collaborators
I have .NET Framework 4.7 ASP.NET MVC application using Owin with Owin Ws-Federation for AAD authentication. After the .NET Framework update was installed on the server last week, we could not authenticate with AAD in some cases. I updated to Owin 4.1 but that did not fix the problem.
When I used Chrome (79) it dit not work, but when I use Edge it just works.
So I analyzed by debugging the application (got Owin code locally to debug it). What I saw was that the /signing-federation POST callback is just there with the correct information. The Owin Ws-Federation middleware sets the .AspNet.External cookie with the identity. But for some reason that cookie seems to be left out from the actual written response. With Chrome it is not in the response. With Edge it is. I looked even with Fiddler to the response to verify that. I can't see why it would be UA dependent. So it seems randomly. In my opinion this has nothing to do with the SameSite changes which just should do something with a value inside the cookie.
Any idea what's going on here?
The text was updated successfully, but these errors were encountered: