Set the Scene
I'm experiencing a very unique scenario where my ASPNet.SharedCookie seems to be disappearing or altered in IE11 when under a proxy. I'll set the scene:
We have 2 websites that are hosted on different servers, lets call them:
The first site deals with authentication, it checks credentials and sets the cookie for the domain .mydomain.com. This has worked perfectly for 99% of scenarios (we have a large user base).
The Problem
We have 1 user that uses Citrix, so they access the product via a proxy and they have no control over browser versions. They must use IE11.
So they access login.mydomain.com, enter their credentials and the cookie is authenticated and set, they are then redirected to product.mydomain.com. But when they hit this site the cookie doesn't appear to be there or seems to have been altered (I can't find out exactly because they don't have access to see the cookie on their machine), from our logs I know we get the following:
Authorization failed for user: null.
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
Has anyone experienced this before? Like I say it works for the masses, but for this unique scenario we are having difficulties.
The Detail
Startup for the login site:
// Was previously services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) but the issue still occurred
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options => {
var protectionProvider = DataProtectionProvider.Create(new DirectoryInfo(Config.KeyLocation));
var dataProtector = protectionProvider.CreateProtector("Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware", "Cookie", "v2");
var ticketFormat = new TicketDataFormat(dataProtector);
options.ClaimsIssuer = MyIdentity.AuthType;
options.TicketDataFormat = ticketFormat;
options.Cookie.Name = Config.CookieName;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.Domain = Config.Domain;
options.Cookie.Expiration = TimeSpan.FromMinutes(Config.Expiration);
options.Cookie.SameSite = SameSiteMode.None;
options.ExpireTimeSpan = TimeSpan.FromMinutes(Config.ExpireTimeMins);
options.SlidingExpiration = true;
options.Events = new CookieAuthenticationEvents()
{
OnRedirectToLogin = ctx =>
{
ctx.Response.Redirect(Config.Login);
return Task.FromResult<object>(null);
}
};
});
I'm also calling service.AddDataProtection and .PersistKeysToFileSystem
Let me know if I should add the Startup code for the product, not sure if it makes any difference as I'm presuming the issue with the cookie is occurring on the redirect.
Thanks for any help!
I see in your code snippet that the SameSite configuration is set to None.
Support for SameSite Cookies under IE11 was added afterwards according to these links:
A workaround could be to store your data in the localStorage which should be supported by older IE11 version.