0
  • So it is not a "My PC" problem. I deployed the app on our test server and the changes still don't get applied. Next step is to dig deeper and see if some identity related configuration was overwritten somewhere.
I've set the `Cookie.SameSite` value to `SameSiteMode.Lax` inside`services.ConfigureApplicationCookie(...)`. Now I'm still getting the cookie with the SameSite value set to strict after I restarted the app and signed in.

services.ConfigureApplicationCookie(...):

services.ConfigureApplicationCookie(options =>
            {
                options.Cookie.Name = "sessionCookie";
                options.Cookie.HttpOnly = true;
                options.Cookie.SameSite = SameSiteMode.Lax;
                options.Cookie.MaxAge = TimeSpan.FromHours(5);
                options.SlidingExpiration = true;
                options.LogoutPath = $"/SignOut";
                options.AccessDeniedPath = $"/Account/AccessDenied";
            });
  • Tested in both Chrome and Firefox - same behaviour.
  • Cookies were cleared and I also restarted everything.
    • Yes, also my PC.
  • I can change any other attribute.
    • I've changed the name, secure and other attributes without fail.
  • We are using IdenityServer4 with our own implementation of IdentityUser:
services.AddDefaultIdentity<ApplicationUser>()
    .AddDefaultUI()
    .AddRoles<ApplicationRole>()
    .AddEntityFrameworkStores<AppIdentityDbContext>();
shakinggoblin
  • 1
  • 3

1 Answers1

0

The problem was the following line of code which came way before the lines shown in the question:

services.AddCookieConfiguration();

This was an method with return type IServiceCollection, which was written by another developer a few months ago. Because of this "error" I realized how messy our Startup.cs actually is and extracted some configurations into their own methods.

shakinggoblin
  • 1
  • 3