This attempt to set a cookie via a Set-Cookie was blocked because it had the "Secure" attribute

Question

I have an ASP.NET webforms/mvc hybrid app deployed on IIS 10. I have two bindings for this app one with just a localhost:portNo binding and another with DNSDomainName:portNo binding. Both are Http bindings. SSL is turned off. I get the error

"This attempt to set a cookie via a Set-Cookie was blocked because it had the "Secure" attribute but was not received over a secure connection."

when I test the DNSDomainName:portNo binding (it is failing to set sessions). The localhost:portNo binding works without any issues. Why is this happening? and how do I fix this?

Answer 1

Your cookies are configured to require an HTTPS connection. When you try to set them on a non-secure connection, they will be rejected.

Check your web.config file settings for:

<httpCookies requireSSL="true" />

Change that setting to false, and your session cookies should start working.

NB: Once you publish your site, it should only ever be served over HTTPS, and this setting should be changed back to true.

Secure Cookie Attribute | OWASP Foundation

The localhost binding works because most browsers have special-case code to treat connections to that host name as "secure", even if they don't use HTTPS.

Locally-delivered resources such as those with http://127.0.0.1 URLs, http://localhost and http://*.localhost URLs (e.g. http://dev.whatever.localhost/), and file:// URLs are also considered to have been delivered securely.
Secure contexts - Web security | MDN