missing cookie when redirecting back from callback request
Closed this issue · 4 comments
Duende IdentityServer- 7.0.6
.NET- 8
Issue- We're encountering an issue with the duende identity server in the following scenario: When we're redirected to the SSO login page via our application and wait for around 2 minutes before attempting to log in, we encounter an error.
Upon further investigation, it appears that the cause of this issue is the absence of the one cookie in the call back request.
It seems that if we remain on the SSO login page for more than 2 minutes, this cookie is somehow deleted.
We have not removed the cookie manually also it's expiry is 15 min. Can any help to understand what is causing removal of this cookie from the request?
Adding some additional details.
I tried by adding some other custom cookies for testing and they are also getting removed after 2 min and seems all this happing when calling duende callback method.
The issue is fixed by adding SameSite = SameSiteMode.None in the cookie request.
The default samesite mode for the cookie is lax. That means that when a cross-site request is happening it will only be sent along if it is a GET request. I'm guessing the response mode is set to form_post which will result in a POST request.
When working cross-site some browsers have a grace period of 2 minutes in which the cookie is seen as a samesite=none cookie even if it has lax or strict. This is implemented during a transition period as browsers become more strict requiring a samesite cookie policy with cross-site requests.
Questions for you:
- What browser are you using? Does the behavior change when using different browser?
- What response mode are you using? Does the behavior change when using query?
@Rahul21199 Would you like to follow up on this? If not I'd like to close the issue.
Closing the issue for now due to inactivity. If you would like to add something, please do so.