Infinite loop/redirect simple ASP.NET OWIN Azure AD Web solution when changing PCs

Question

I have a very simple ASP.NET Web solution (WebForms) which has a boilerplate implementation of Azure AD authentication via OWIN. It was working fine when tested locally on my PC. I have literally hopped in bed on my Windows laptop, and pulled down the solution from Visual Studio Team Services (GIT) and ran it in debug on my laptop. Now, when I try to sign in, the application goes into an infinite loop of the following two web requests (one POST one GET). I have no idea what's going on here. Can anyone assist? These two log entries just occur over, and over again until I quit out.

> Application Insights Telemetry (unconfigured):
> {"name":"Microsoft.ApplicationInsights.Dev.Request","time":"2018-07-09T09:44:50.8000358Z","tags":{"ai.internal.sdkVersion":"web:2.2.0-738","ai.operation.id":"q2LZmfksgJg=","ai.location.ip":"::1","ai.cloud.roleInstance":"DESKTOP-8S777RV","ai.operation.name":"POST
> /"},"data":{"baseType":"RequestData","baseData":{"ver":2,"id":"q2LZmfksgJg=","name":"POST
> /","duration":"00:00:00.0070000","success":true,"responseCode":"302","url":"https://localhost:44378/","properties":{"DeveloperMode":"true"}}}}
> 
> 
> Application Insights Telemetry (unconfigured):
> {"name":"Microsoft.ApplicationInsights.Dev.Request","time":"2018-07-09T09:44:50.8189012Z","tags":{"ai.internal.sdkVersion":"web:2.2.0-738","ai.operation.id":"tDssyCSeipU=","ai.location.ip":"::1","ai.cloud.roleInstance":"DESKTOP-8S777RV","ai.operation.name":"GET
> /ScratchPad.aspx"},"data":{"baseType":"RequestData","baseData":{"ver":2,"id":"tDssyCSeipU=","name":"GET
> /ScratchPad.aspx","duration":"00:00:00.0010000","success":true,"responseCode":"401","url":"http://localhost:63907/ScratchPad.aspx","properties":{"DeveloperMode":"true"}}}}

EDIT: I am a beginner to OWIN / Azure auth, but I did some mucking around, and found that adding the CookieSecureOption.Never to my Cookie AUthentication configuration, e.g. changing

app.UseCookieAuthentication(new CookieAuthenticationOptions ());

to

app.UseCookieAuthentication(new CookieAuthenticationOptions { CookieSecure = CookieSecureOption.Never });

Causes the site to log in OK when debugging. I know this is not a secure option however, but I hope this helps someone to understand the issue in the first place? As I did not need this option an hour ago when testing on my other PC?

Answer 1

There is a bug with OWIN/Katana that causes your cookies to just disappear. So your solution will work 90% of the time but 10% of the time it gets stuck in these infinite loops. Redeploying the application might fix it temporarily but then the issue will persist.

One way to address this issue is using the Nuget package kentor.owincookiesaver. You should make a call to this class before the cookieauthentication call in the owin startup class as shown below.

app.UseKentorOwinCookieSaver();

app.UseCookieAuthentication(new CookieAuthenticationOptions());

The bug is documented here: https://github.com/aspnet/AspNetKatana/ and the workaround is documented here: https://github.com/Sustainsys/owin-cookie-saver

The Nuget package has been downloaded 177,000+ times.