0

I've got an ASP.NET Core 6 MVC Razor pages application using Microsoft Identity for AzureAD integrated authentication running on an Azure Linux AppService plan (with forced HTTPS).

The authentication integration works like a charm. Couldn't be happier.

But in my logs I see warnings like so:

The cookie '".AspNetCore.Correlation.[...]"' has set 'SameSite=None' and must also set 'Secure'.

(and for the .AspNetCore.OpenIdConnect.Nonce cookie).

I've tried adding a cookie policy:

app.UseCookiePolicy(new CookiePolicyOptions
{
    HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always,
    MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.None,
    Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always
});

But no joy.

I tried that code positioned right after "var app = builder.Build();" and right after "app.UseAuthentication(); app.UseAuthorization();" (just before app.MapRazorPages().RequireAuthorization("MyRoleId")).

Any thoughts on how to get these cookies set as secure?

user2845090
  • 147
  • 3
  • 14

1 Answers1

1

In general, the cookie policy will be added before app.UseAuthentication(); as this will write cookies. Here is the code :-

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddRazorPages();

var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();

// Add this before any other middleware that might write cookies
app.UseCookiePolicy(new CookiePolicyOptions
{
    HttpOnly = HttpOnlyPolicy.Always,
    MinimumSameSitePolicy = SameSiteMode.None,
    Secure = CookieSecurePolicy.Always
});

// This will write cookies, so make sure it's after the cookie policy
app.UseAuthorization();
app.MapRazorPages();
app.Run();
SwethaKandikonda
  • 7,513
  • 2
  • 4
  • 18