ASP Net Core 3.0 - Unrecognized SameSiteMode value -1

[TiagoBrenck]

Describe the bug

The code sample suggested in this doc for the SameSite cookie changes upcoming in Chrome, returns an InvalidOperationException

InvalidOperationException: Unrecognized SameSiteMode value -1
Microsoft.AspNetCore.CookiePolicy.ResponseCookiesWrapper.ApplyPolicy(string key, CookieOptions options)
Microsoft.AspNetCore.CookiePolicy.ResponseCookiesWrapper.ApplyAppendPolicy(ref string key, ref string value, CookieOptions options)
Microsoft.AspNetCore.CookiePolicy.ResponseCookiesWrapper.Append(string key, string value, CookieOptions options)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.WriteNonceCookie(string nonce)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationHandler<TOptions>.ChallengeAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationHandler<TOptions>.ChallengeAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties)
Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

To Reproduce

1. Go to AzurePortal, register an app and use the Quickstart link to download a AspNetCore solution.
2. Configure the app according to Quickstart documentation
3. Make sure your solution is using Core 3.0 version
4. Add the SameSite cookie suggested code in Startup.cs:

services.Configure<CookiePolicyOptions>(options =>
{
    // This lambda determines whether user consent for non-essential cookies is needed for a given request.
    options.CheckConsentNeeded = context => true;
    options.MinimumSameSitePolicy = (SameSiteMode)(-1);
    options.OnAppendCookie = cookieContext =>
        CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
    options.OnDeleteCookie = cookieContext =>
        CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});

private void CheckSameSite(HttpContext httpContext, CookieOptions options)
{
    if (options.SameSite == SameSiteMode.None)
    {
        var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
        if (DisallowsSameSiteNone(userAgent))
        {
            options.SameSite = (SameSiteMode)(-1);
        }
    }
}

public static bool DisallowsSameSiteNone(string userAgent)
{
    // Cover all iOS based browsers here. This includes:
    // - Safari on iOS 12 for iPhone, iPod Touch, iPad
    // - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
    // - Chrome on iOS 12 for iPhone, iPod Touch, iPad
    // All of which are broken by SameSite=None, because they use the iOS networking
    // stack.
    if (userAgent.Contains("CPU iPhone OS 12") ||
        userAgent.Contains("iPad; CPU OS 12"))
    {
        return true;
    }

    // Cover Mac OS X based browsers that use the Mac OS networking stack. 
    // This includes:
    // - Safari on Mac OS X.
    // This does not include:
    // - Chrome on Mac OS X
    // Because they do not use the Mac OS networking stack.
    if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
        userAgent.Contains("Version/") && userAgent.Contains("Safari"))
    {
        return true;
    }

    // Cover Chrome 50-69, because some versions are broken by SameSite=None, 
    // and none in this range require it.
    // Note: this covers some pre-Chromium Edge versions, 
    // but pre-Chromium Edge does not require SameSite=None.
    if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
    {
        return true;
    }

    return false;
}

5. Run the application and the exception will be thrown.

Further technical details

• ASP.NET Core version 3.0
• Include the output of dotnet --info
• The IDE (VS / VS Code/ VS4Mac) you're running on, and it's version

[blowdart]

It is likely Web Apps haven't installed the latest Core update yet.

[analogrelay]

https://aspnetcoreon.azurewebsites.net indicates it should be there (3.0.1/3.1.0) is present.

@TiagoBrenck can you go to the Kudu Console (instructions below) and run dotnet --info there and paste the output? It's possible it's not properly set up. Also can you share the full sample project that reproduces the issue?

Getting to the Kudu Console.

1. Add scm between your app service name and .azurewebsites.net in the domain name, so if your app service is foo.azurewebsites.net, go to foo.scm.azurewebsites.net
2. Click "Debug Console" and choose either "CMD" or "PowerShell"
3. Type dotnet --info in the console window and include the output.

[TiagoBrenck]

@anurse, while I was doing this step I figured out that the problem was locally, and I found that I had core 3.0.0 instead of 3.0.102. After downloading the 3.0.1 it worked fine.

Sorry about that.

[analogrelay]

No problem! Glad you were able to resolve the issue!