I have problem authenticating CORS request in Chrome.

I've Single Page Application running on localhost and webservices running in Azure. I log in using using OpenIdConnect.

When I do CORS request in EDGE to my backend like this, authentication works:

$.ajax({
   type: 'get',
   url: buildBackendUrl("api/Account"),
   xhrFields: { withCredentials: true }
});

however the same does not work in Chrome. When I enter the webservice url to browser manually, the request is authenticated.

I've examined request headers for CORS request and the difference is in cookies:

• Edge: ARRAfinity=...; AspNetCore.Cookies=...
• Chrome: ARRAfinity=...

Why Chrome does not include all cookies?

EDIT: here are request catched by fiddler:

1. REDIRECT when I press login:
   myapp.azurewebsites/api/Account/login?returnUrl=http://localhost:46563/
2. Since I'm already logged in no need to go to login page. Redirect
   myapp.azurewebsites/signin-oidc
3. REDIRECT BACK: localhost:46563/
4. CORS made from Localhost: myapp-dev.azurewebsites/api/Account

In neither, request nr3 or 4 I don't see the cookies.

Anyway, response of request nr2 (myapp.azurewebsites/signin-oidc) tries to sets cookies:

HTTP/1.1 302 Found
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Expires: -1
Location: http://localhost:46563/
Set-Cookie: .AspNetCore.Correlation.OpenIdConnect.3ifhkwCQkMuZkTgBxYiKMOSoLgTX2nIex-8aH-syh5Q=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/signin-oidc; samesite=lax
Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8FG-d2csck1FsQu2pwqnsxLd4w9YWobqchk1w3xMgy7bCX_KilCuRxuj4U0bSTAL-dD_iwdEaZI6pclqlP-3f7QBuKUMS379DFiBPd_tkEkyB_IYVWzJsR1xtw-_qcS1pQL6ial_C2ywbSwRucBxUqtDPMcuFEIomNDDnklpqWUmS_5Xb_tB23Ew7b14M861pL1CtJ18uPqgu-nOgn1RygqhBhMECoQfQ7YhXN_BtfiIbdPfw00jWNfMVc5G1B-SnT_eq80_RmxQ4_JOX3ZJfiI=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/signin-oidc; samesite=lax
Set-Cookie: .AspNetCore.Cookies=...; path=/; samesite=lax; httponly

I have problem authenticating CORS request in Chrome.

I've Single Page Application running on localhost and webservices running in Azure. I log in using using OpenIdConnect.

When I do CORS request in EDGE to my backend like this, authentication works:

$.ajax({
   type: 'get',
   url: buildBackendUrl("api/Account"),
   xhrFields: { withCredentials: true }
});

however the same does not work in Chrome. When I enter the webservice url to browser manually, the request is authenticated.

I've examined request headers for CORS request and the difference is in cookies:

• Edge: ARRAfinity=...; AspNetCore.Cookies=...
• Chrome: ARRAfinity=...

Why Chrome does not include all cookies?

EDIT: here are request catched by fiddler:

1. REDIRECT when I press login:
   myapp.azurewebsites/api/Account/login?returnUrl=http://localhost:46563/
2. Since I'm already logged in no need to go to login page. Redirect
   myapp.azurewebsites/signin-oidc
3. REDIRECT BACK: localhost:46563/
4. CORS made from Localhost: myapp-dev.azurewebsites/api/Account

In neither, request nr3 or 4 I don't see the cookies.

Anyway, response of request nr2 (myapp.azurewebsites/signin-oidc) tries to sets cookies:

HTTP/1.1 302 Found
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Expires: -1
Location: http://localhost:46563/
Set-Cookie: .AspNetCore.Correlation.OpenIdConnect.3ifhkwCQkMuZkTgBxYiKMOSoLgTX2nIex-8aH-syh5Q=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/signin-oidc; samesite=lax
Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8FG-d2csck1FsQu2pwqnsxLd4w9YWobqchk1w3xMgy7bCX_KilCuRxuj4U0bSTAL-dD_iwdEaZI6pclqlP-3f7QBuKUMS379DFiBPd_tkEkyB_IYVWzJsR1xtw-_qcS1pQL6ial_C2ywbSwRucBxUqtDPMcuFEIomNDDnklpqWUmS_5Xb_tB23Ew7b14M861pL1CtJ18uPqgu-nOgn1RygqhBhMECoQfQ7YhXN_BtfiIbdPfw00jWNfMVc5G1B-SnT_eq80_RmxQ4_JOX3ZJfiI=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/signin-oidc; samesite=lax
Set-Cookie: .AspNetCore.Cookies=...; path=/; samesite=lax; httponly

• javascript
• google-chrome
• authentication
• cookies
• cross-domain

• Rather impossible to tell with those short snippets ... I suppose you have first of all checked whether those cookies are set in Chrome to begin with? – C3roe Commented Oct 5, 2017 at 9:58
• So just to be clear, this is about the cookie set for the localhost domain, and you expect that to be send - when exactly, where to? – C3roe Commented Oct 5, 2017 at 10:26
• I've checked that chrome 3rd party cookies are allowed in chrome settings. I expect that I send .AspNetCore.Cookies=... with the request made from localhost to myapp.azurewebsites/api/Account. However I'm not 100% sure where this cookies es from. I guess the are generated by myapp.azurewebsites/signin-oidc and set to localhost – Liero Commented Oct 5, 2017 at 10:39
• 1 Well at most the last cookie should be send to myapp.azurewebsites/signin-oidc, because the other two are not even valid for that path. When you check the cookies set for myapp.azurewebsites after the whole thing, are they all there? If the browser did not accept them, it can’t send them back either. – C3roe Commented Oct 5, 2017 at 11:05
• 1 “I guess the are generated by myapp.azurewebsites/signin-oidc and set to localhost” - myapp.azurewebsites can not set cookies for localhost ... would be a huge security issue, if something like that was possible. – C3roe Commented Oct 5, 2017 at 11:06

1 Answer 1

Theres new draft on cookie policy, called SameSite, currently implemented by Chrome and Opera.

Basically, cookies marked with SameSite=Strict are not sent with CORS request event if you set xhr.withCredentials = true;

In order to make it work, you have to disable SameSite policy on particular cookie. In case of ASP.NET Core 2.0 authetication cookie it was:

services.AddAuthentication(...)
    .AddCookie(option => option.Cookie.SameSite = SameSiteMode.None)
    .AddOpenIdConnect(...)