0

Set the Scene
I'm experiencing a very unique scenario where my ASPNet.SharedCookie seems to be disappearing or altered in IE11 when under a proxy. I'll set the scene:

We have 2 websites that are hosted on different servers, lets call them:

  1. https://login.mydomain.com
  2. https://product.mydomain.com

The first site deals with authentication, it checks credentials and sets the cookie for the domain .mydomain.com. This has worked perfectly for 99% of scenarios (we have a large user base).

The Problem
We have 1 user that uses Citrix, so they access the product via a proxy and they have no control over browser versions. They must use IE11.

So they access login.mydomain.com, enter their credentials and the cookie is authenticated and set, they are then redirected to product.mydomain.com. But when they hit this site the cookie doesn't appear to be there or seems to have been altered (I can't find out exactly because they don't have access to see the cookie on their machine), from our logs I know we get the following:

Authorization failed for user: null.

Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.

Has anyone experienced this before? Like I say it works for the masses, but for this unique scenario we are having difficulties.

The Detail
Startup for the login site:

// Was previously services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) but the issue still occurred
services.AddAuthentication(options => 
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;                    
})
.AddCookie(options => {
    var protectionProvider = DataProtectionProvider.Create(new DirectoryInfo(Config.KeyLocation));
    var dataProtector = protectionProvider.CreateProtector("Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware", "Cookie", "v2");
    var ticketFormat = new TicketDataFormat(dataProtector);

    options.ClaimsIssuer = MyIdentity.AuthType;
    options.TicketDataFormat = ticketFormat;
    options.Cookie.Name = Config.CookieName;
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    options.Cookie.Domain = Config.Domain;
    options.Cookie.Expiration = TimeSpan.FromMinutes(Config.Expiration);
    options.Cookie.SameSite = SameSiteMode.None;
    options.ExpireTimeSpan = TimeSpan.FromMinutes(Config.ExpireTimeMins);
    options.SlidingExpiration = true;
    options.Events = new CookieAuthenticationEvents()
    {
        OnRedirectToLogin = ctx =>
        {
            ctx.Response.Redirect(Config.Login);
            return Task.FromResult<object>(null);
        }
    };
});

I'm also calling service.AddDataProtection and .PersistKeysToFileSystem

Let me know if I should add the Startup code for the product, not sure if it makes any difference as I'm presuming the issue with the cookie is occurring on the redirect.

Thanks for any help!

Lloyd Powell
  • 18,270
  • 17
  • 87
  • 123
  • based on the strict restriction on the client's policy, is it possible that they have the "do not allow cookie" flag on their IE? – Steve Dec 18 '17 at 16:38
  • isn't that just a matter of [Citrix configuration](https://docs.citrix.com/en-us/netscaler/12/application-firewall/top-level-protections/cookie-consistency-check.html) ? – huysentruitw Dec 18 '17 at 18:11
  • @Steve I'm not sure, another thing I had forgotten to mention, previously the product would have its own login within the same site. Where it worked as expected. – Lloyd Powell Dec 19 '17 at 08:39
  • @ThePower IE considers different domain as third party I believe. and it has the stupid p3p standard which might block the cookie depending on the security level – Steve Dec 19 '17 at 14:35
  • @Steve It's the same domain, just a different site. – Lloyd Powell Dec 19 '17 at 14:46
  • its a different subdomain. might be treated as third party domain instead of first party – Steve Dec 19 '17 at 14:47
  • @Steve Yeah. If that's the case it's pretty annoying, surely Google would have authentication issues? – Lloyd Powell Dec 19 '17 at 14:49
  • @ThePower They used to until they did this https://blogs.msdn.microsoft.com/ie/2012/02/20/google-bypassing-user-privacy-settings/ – Steve Dec 19 '17 at 14:50

1 Answers1

0

I see in your code snippet that the SameSite configuration is set to None.

Support for SameSite Cookies under IE11 was added afterwards according to these links:

A workaround could be to store your data in the localStorage which should be supported by older IE11 version.

TituX75
  • 1
  • 2