Search code examples
google-chromeasp.net-corerazor

Asp.net core Chrome Issue with Cookies

I have a strange issue, we are running a asp.net core razor app. There are no issues logging into Firefox or Edge.

But rather randomly, we have an issue in Chrome that we can't figure out.

(Random as in, it has occurred on user's machines randomly before and now it is occurring on a lot of machines, but still not all of them)

The issue is that it seems that our "auth-token" cookie is not being set.

To me, it seems that the error is with this line which runs after a successful username and password, but before a redirect.

...
Response.Cookies.Append("auth-token", inToken, option);
...

There is no error, but a line that runs almost immediately after falls over

public async Task Invoke(HttpContext context)
{
    var name = "auth-token";
    var cookie = context.Request.Cookies[name]; //THIS LINE DOESN'T HAVE THE COOKIE CALLED "auth-token" IN CHROME
    ...
}

We have tried:

Incognito Chrome/Clearing Cache/Cookies in Chrome

  • Restarting Machine
  • Uninstalling and Reinstalling chrome
  • Installing old versions of Chrome (chromium)
  • Running an old version of our code (which previously worked on chrome)

There doesn't seem to be a clear cause for when this issue occurs.

I would love to figure out why this is happening or if possible any information on how I could capture what is happening.

Thank you!

Solution

  • After many hours researching it seems I have finally fixed my issue.

    By setting the following in our cookie

    SameSite = SameSiteMode.Lax

    or

    SameSite = SameSiteMode.Strict

    Our Chrome issues have been fixed

    I was reading about Google Chrome's "SameSite" cookie options.

    https://www.chromium.org/updates/same-site

    Originally I thought this was unrelated as SameSite has been forced in Chrome for quite a wile now, and it has never bothered our code. But I still tried setting:

    SameSite = SameSiteMode.None

    To no changes

    After bringing this up to my boss he informed me that he noticed an old warning that appeared in the chrome console for <1 second.

    'A cookie associated with a resource at ... was set with 'SameSite=None' but without 'Secure'. It has been blocked....'

    (Note: This was before I tried messing around with SameSite Options at all and was part of some code to fix a Safari bug)

    So naturally we managed to capture the error with a quick screenshot and then we added in the SameSite option with Strict.

    So I while it works for me now it still doesn't explain;

    • Why didn't it break earlier, we have been using versions of chrome with it for several months
    • Why does it still not break if I run an old version of the code with .net 2.1 (without any SameSite Options adjusted)
    • Why does our new version of the code without the adjusted SameSite option still work on some user's machines