AzureAD and IOS12 SameSite Cookie Infinite Loop

Question

I'm getting the same site cookie problem that I have been seen going around. I am using AzureAD and when I apply the fixes that are out there I still can't stop the infinite loop in IOS12.

I read this page and this one detailing setting SameSiteMode to None. Am I missing something new?

.NET Core 2.1, AzureAD

Here is my startup class:

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options))
            .AddCookie(options=>options.Cookie.SameSite = SameSiteMode.None)
            .Services.ConfigureExternalCookie(options =>
            {
                options.Cookie = new Microsoft.AspNetCore.Http.CookieBuilder()
                {
                    SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None
                };
            });

        services.AddMvc(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        })
        .SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

    }



    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {


        app.UseCors(builder =>
        {
            // cannot be set to AllowAnyOrigin, because then the response is not accepted, because the credentials are included
            builder.WithOrigins("https://*.sharepoint.com")
                .SetIsOriginAllowedToAllowWildcardSubdomains()
                .AllowCredentials();
        });

        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseCookiePolicy(new CookiePolicyOptions()
        {
            MinimumSameSitePolicy = SameSiteMode.None
        });

        app.UseAuthentication();

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });


    }

EDIT: I have another application deployed to the same box that is not having the same infinite loop issue. I copied the configuration to match that application and it is still not working. Both new .NET Core 2.1 apps.

        services.AddAuthentication(sharedOptions =>
    {
        sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    })
    .AddAzureAd(options => Configuration.Bind("AzureAd", options))
    .AddCookie();

And:

app.UseAuthentication();

Can anyone help?

Answer 1

This appears to be working with the newest updates from MS and Apple.

Answer 2

Versions of iOS prior to iOS 13 don’t recognise ‘None’ as a valid value for SameSite, so the cookie will not be sent. This has been fixed for iOS 13, but the fix isn’t being backported to earlier versions of iOS.

This is significant today because of the changed handling of cookies in Chrome 80, expected on 4th Feb 2020. Once it is released, Chrome will treat cookies without SameSite as SameSite=lax and will NOT send them in scenarios like iFrame, POST etc. Unfortunately just setting SameSite=None on all cookies won’t work because of the problem you’ve found here in earlier versions of iOS (and MacOS Safari).