Set cookie not over HTTPS in ASP.NET 5

1.7k Views Asked by Ruben Aleksanyan At 22 February 2022 at 16:10

I have two microservices. One is for identity. I am trying to set auth cookie and I have this middleware:

app.UseCookiePolicy(new CookiePolicyOptions
{
    MinimumSameSitePolicy = SameSiteMode.None,
    Secure = CookieSecurePolicy.None,
    HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None
});

And also this service:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.Cookie.HttpOnly = true;
        options.Cookie.SameSite = SameSiteMode.None;
        options.Cookie.SecurePolicy = CookieSecurePolicy.None;
        options.Cookie.IsEssential = true;
    });

And also browser throws this warning:

So I want to know if it is possible or not to set cookie not over HTTPS ???

Original Q&A

There are 1 best solutions below

Tore Nestenius On 24 February 2022 at 13:19 BEST ANSWER

You need to set the cookie over Https, otherwise it will not work.

This is because the Samesite cookie functionality requires that it is done over HTTPs when the cookies reaches the browser.

see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

That says:

Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).

To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging cookie problems

Set cookie not over HTTPS in ASP.NET 5

There are 1 best solutions below

Related Questions in ASP.NET-CORE

Related Questions in COOKIES

Related Questions in IDENTITYSERVER4

Related Questions in SAMESITE

Related Questions in ASP.NET5

Trending Questions

Popular # Hahtags

Popular Questions