asp.net-coreidentity

The cookie '.AspNetCore.Identity.Application' has set 'SameSite=None' and must also set 'Secure'


I followed these links:

These are my settings:

services.AddIdentityServer()
    .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

services.AddAuthentication()
    .AddIdentityServerJwt();

services.ConfigureNonBreakingSameSiteCookies();

// Adjust to this (or similar)
services
    .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
     {
        // add an instance of the patched manager to the options:
        options.CookieManager = new ChunkingCookieManager();
      });

And then in the configure:

app.UseCookiePolicy();

I am trying to run identity over http. I get those errors when setting certain (but not all) cookies, and I completely fail to delete the cookies in chrome


Solution

  • Everything is okay in your code, but you should more configure your cookies.

    Add additional attributes - Secure, HttpOnly and SameSite in AddCookie. More information in official documentation

    Example:

            services
               .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
               .AddCookie(options =>
               {
                   // add an instance of the patched manager to the options:
                   options.CookieManager = new ChunkingCookieManager();
    
                    options.Cookie.HttpOnly = true;
                    options.Cookie.SameSite = SameSiteMode.None;
                    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
               });