ASP.net core auth cookie not being set in Google Chrome when running in dev

Rob McCabe picture Rob McCabe · May 3, 2016 · Viewed 8.4k times · Source

I have three applications in my solution, all built in asp.net core 1 MVC 6.

  • App 1 is an MVC app used for authenticating a user.
  • App 2 is an Angular SPA app and is the main app in the solution.
  • App 3 is an MVC web api application.

In app 3, I have the usual asp.net core SignInManager and UserManager code (the same code as you get by default when you start a new MVC 6 template - only different is, it exists in my web api here). And the login/logout/register etc is exposed via web api methods in my AccountController. This allows me to lock down the web api, so only authenticated requests get processed (using the [Authorize] attribute).

When I call the "Login" method in my AccountController, if login is successful - it returns a Set-Cookie directive with the following name: ".AspNet.Microsoft.AspNet.Identity.Application" (this is used for authentication)

The login app then forwards the user from App1 to App2. All subsequent requests to the web api (App3) are then Authenticated and allowed to be executed. NOTE: By subsequent requests - specifically I mean, within App2, angular calling to ask for data from the web service.

All of this works fine - well, it works in IE fine. Which brings my to my question, why would this not be working in Chrome? I see the "Set-Cookie" directive coming back from the response of the web api Login in chrome, but subsequent requests do not have this cookie attached.

What am I doing wrong?

NOTE: My Http Response from the login method looks like this:

    HTTP/1.1 200 OK
        Cache-Control: no-cache
        Pragma: no-cache
        Content-Type: application/json; charset=utf-8
        Expires: -1
        Server: Kestrel
        Set-Cookie: .AspNet.Microsoft.AspNet.Identity.Application=CfDJ8FWIuvXs-TxKoIYE8259iAY52B_VZDPTTvYwZ-WAo8hhPCdLhmUfxNZD1wjxEt0sqqnZl6NomwHPNTNFkBxsq4cw_WkQYklnj_dK79wodIguLdPXAbKu6UbS6HKRBxFxjOKVAfIdyxZJ6xA2CtnR9nJC_CSg7v1vFSzgDEiSBso8D3aDNjzFk8
7oIJodC7WLVxWUqdUpjaGRCXqHTYjTwgL9DCihnajAlB921_oEPinUwIPP8g_ugCQmqbFq6kgQ-GwPTifBKRlbtwNsDwbetynl1gIqzELyjgEUAKgtpD9SX7FSjl1grxoGRjbPiXJe-k1SSdnUIHR7wYPkFpiis_c_P1pGkmSyeiDG-lf0xftTlXlnC3BWMbgXeWZn_hsDzbW_Tek3qiq_NB-T0IMGaJgjRnr5DARNcOACWbzwGvHFjsn7n0u7-UZOfzgQJ76d3ra-hjra
    -aNcHLgbfDef3TK6z_CKt2iIlnTkyEJXC-3OSGnfWDRvofvQ216UApEPiKoJxiCjWSvGAQCzvf9P1TtKuwAQVxfWz8pL077E-Wfc-4ybtrT6Ivz2VbdFng5Ze5IQ5YWfYYTpDhLSHGKnpFgxVf96f7JwoXlgRq0gs7yEWdWFZs6d18pw-El5sLJr7g; path=/; secure; httponly
        Access-Control-Allow-Origin: *
        X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcUm9iZXJ0XERlc2t0b3BcSEJFIE1hbmFnZXJcTUFJTlxCbHVlem9uZSBXZWJBcGlcc3JjXEJ6LkFwcGxpY2F0aW9uXEJ6LkFwcGxpY2F0aW9uLkFwaVx3d3dyb290XGFwaVxhY2NvdW50XExvZ2lu?=
        X-Powered-By: ASP.NET
        Date: Wed, 04 May 2016 10:39:57 GMT
        Content-Length: 16

Answer

monsee picture monsee · Nov 26, 2019

Hi I had this problem too.

While my localhost environment in VS worked fine and my user could be logged in this didn't worked in the published environment for chrome.

This began when I was trying some self-signed-certificate stuff in IIS on my pre-production-environment by turining on https with configured bindings. And after that I went back to http.

What you could try in Chrome is this: Open the developer-tools goto tab Application and in the left pane choose Clear storage. Under the diagram on the right click Clear site data even if the usage shows 0 Bytes used. Do it anyway.

Finally I got my application with login features back.

Hope that this will help someone, too.