-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Aspnet External Cookie not set for Sign On with Microsoft Post 4.72 SameSite Changes on Asp.net MVC #331
Comments
Looks like you're on the right track. I have seen some reports that the .NET patches have exacerbated the existing System.Web cookie issue. All cases I've seen have been fixed by liberal use of the SystemWebCookieManager. In your example I think the piece you're missing is being able to apply that to the Also, did you intentionally leave out the implementation for this?
|
The link to the source code doesn't work (404). Everywhere I could find to override the cookiemanager I have, but curious to see if there was another. For the diallows I left it blank since the issue is the critical code never calling that method, and this was already 200 lines of code thanks |
Woops, fixed the link. |
It looks like the key line of code to change behavior is:
but if I do this, the rest of my login code breaks when cookie: .AspNet.ApplicationCookie is no longer set downstream. I have not looked into that issue as of yet, but is that what you would expect to happen? If we upgrade to .net core do these issues just go away? |
You shouldn't need to change the AuthenticationMode for the external cookie, you should only need to add the SystemWebCookieManager.
Correct, the System.Web cookie issue is not present in ASP.NET Core because it doesn't rely on System.Web at all. Core does still need some of the SameSite mitigations like DisallowsSameSiteNone which is outlined in the docs. |
If you look at my initial code you can see both openId and cookies I am using a new SystemWebCookieManager. With setting break points in the SameSiteCookieManager which should be called before the SystemWebCookieManager the code is neveral called for the extneral cookie. Looks like my comment on my passive was wrong, the cookie name replaced the default of ".AspNet.ApplicationCookie". Passive still broke my code, but did not fix any of my other issues. can you get openid to work on 4.72 using only the nuget packages? I am wondering if somehow the wrong code was built / deployed? (grasping at straws)... I really think something was broken deep in .net/owin with the november patch... |
Let me clarify. You're missing one more place to plug in SystemWebCookieManager, inside UseExternalSignInCookie. To do that you're going to need to replace
|
UseExternalSignInCookie adds an additional instance of UseCookieAuthentication for the external cookie. That instance also needs the SystemWebCookieManager. |
You can't, you have to replace it as shown above: #331 (comment) |
Sorry for being so hard to help. What does "replace mean" / Where do I replace it:
I think replace can mean a few very different things. can you update the comment with more of the code before/after? thanks |
Yes. There's no overload of UseExternalSignInCookie that does what you want, so you have to copy its code into Startup and then modify it. |
can you show an example of the full method? |
Is this any clearer? #331 (comment) |
SO MUCH CLEARER I was not understanding that you wanted a second instance of UseCookieAuthentication, I thought you were trying to change the first one. I'll be back online later tonight to test the code. |
I think that fixed it. Thank you for your help, I really appreciate it. Will battle test the code a bit more tomorrow, but looks good. Is there a reason you don't update the owin code to do that behavior by default? Is Owin for .net 4.72 going to still be maintained, or was this the last major update? |
The Owin components were designed to work with multiple servers so they don't ship with any direct dependencies on SystemWeb components. That said, I'll file a template bug so we can at least enable SystemWebCookieManager by default in new projects.
The Microsoft.Owin components get critical updates but minimal new feature work. All feature development is happening over in ASP.NET Core. |
The above solution solved this problem for me (for openidconnect) - still testing Does the LinkedInAuthenticationOptions allow changing CookieManager? |
That's not one we maintain. Looks like it came from here? It hasn't been updated in a while, someone might have to go add that option. |
Now my windows live signin breaks
Any reason for this ============================================ Just to explain - this was because of updating owin from 3.0 to 4.1. For this update - MSFT have changed (I think) the ability to connect to live accounts. This meant that my existing apps registration didn't work. To solve:
|
Breaks how? |
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate. See our Issue Management Policies for more information. |
the changes above resolved my problem. |
Apologies for being a bit verbose, but want to try and be specific. I am having trouble with .AspNet.ExternalCookie after the same site changes of Nov 2019 and Azure update of Jan 2020
Setup:
Issue:
Sign on with Microsoft was broken with the changes to support SameSite on Azure. We were able to bandaid fix by applying the “roll back” technique of aspnet:SuppressSameSiteNone.
Symptoms:
With the suppress same site flag post logging in with Microsoft the .AspNet.ExternalCookie is set but without samesite:none. Without the flag the cookie is never set (or at least in a way I can see it)
What I have tried
** the cookie for aspnet.externalcookie does not go through the new cookie manager
** All cookies other than aspnet.externalcookie are seen by this module
this sounds like the problem on #324 which was closed, without a real resolution - the requester said when he re-installed the the path the bug returned.
my code, apology for a lot of it, I tried to rip out as much as I could that was extraneous.
The text was updated successfully, but these errors were encountered: