Search code examples
asp.net-corecookiescross-domainrazor-pagessamesite

Unable to access cookies when posting from different site in .net core

I am experiencing troubles accessing cookie information when I get posted from a different site to our site.

I read the cookies this way

public static string GetCookie(HttpContext context, string key)
        {
            try
            {
                return context.Request.Cookies[key];
            }
            catch (Exception ex)
            {
                throw new Exception($"{methodName} | Exception : {ex.Message} | StackTrace : {ex.StackTrace} | InnerException : {ex.InnerException}");
            }
        }

And save the cookies this way

public static void SetCookie(HttpContext context, string key, string value, int expiresInMinutes = 20)
        {
            try
            {
                context.Response.Cookies.Append(key, value, new CookieOptions()
                {
                    Path = "/",
                    HttpOnly = false,
                    Secure = false,
                    Expires = DateTimeOffset.Now.AddMinutes(expiresInMinutes) 
                });
            }
            catch (Exception ex)
            {
                throw new Exception($"{methodName} | Exception : {ex.Message} | StackTrace : {ex.StackTrace} | InnerException : {ex.InnerException}");
            }
        }

Suppose my site is https://site1.com and I have redirected to a payment gateway https://pgateway.com, I am able to access the cookies when pgateway.com redirects using a GET request, but unable to access when pgateway.com is posting the data. The cookies have been already saved before the redirection itself.

I have added the following info. for CORS

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors(); 

        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_3_0);
    }


public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UseCors(
        options => options.WithOrigins("https://pgateway.com").AllowAnyMethod()
    );
}

Please help me out regarding this concern. Thanks.

Solution

  • It is probably due to the samesite attribute of the cookie. Try the following; the secure attribute is required.

    public static void SetCookie(HttpContext context, string key, string value, int expiresInMinutes = 20)
        {
            try
            {
                context.Response.Cookies.Append(key, value, new CookieOptions()
                {
                    Path = "/",
                    HttpOnly = false,
                    Secure = true,   // updated
                    SameSite = SameSiteMode.None,  // added
                    Expires = DateTimeOffset.Now.AddMinutes(expiresInMinutes) 
                });
            }
            catch (Exception ex)
            {
                throw new Exception($"{methodName} | Exception : {ex.Message} | StackTrace : {ex.StackTrace} | InnerException : {ex.InnerException}");
            }
        }